Summary
@tinacms/graphql uses string-based path containment checks in FilesystemBridge:
path.resolve(path.join(baseDir, filepath))startsWith(resolvedBase + path.sep)
That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it.
As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root.
Details
The current bridge validation is:
function assertWithinBase(filepath: string, baseDir: string): string {
const resolvedBase = path.resolve(baseDir);
const resolved = path.resolve(path.join(baseDir, filepath));
if (
resolved !== resolvedBase &&
!resolved.startsWith(resolvedBase + path.sep)
) {
throw new Error(
`Path traversal detected: "${filepath}" escapes the base directory`
);
}
return resolved;
}
But the bridge then performs real filesystem I/O on the resulting path:
public async get(filepath: string) {
const resolved = assertWithinBase(filepath, this.outputPath);
return (await fs.readFile(resolved)).toString();
}
public async put(filepath: string, data: string, basePathOverride?: string) {
const basePath = basePathOverride || this.outputPath;
const resolved = assertWithinBase(filepath, basePath);
await fs.outputFile(resolved, data);
}
public async delete(filepath: string) {
const resolved = assertWithinBase(filepath, this.outputPath);
await fs.remove(resolved);
}
This is a classic realpath gap:
- validation checks the lexical path string
- the filesystem follows the link target during I/O
- the actual target can be outside the intended root
This is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled relativePath, but that validation is also string-based:
const realPath = path.join(collection.path, relativePath);
this.validatePath(realPath, collection, relativePath);
Database write and delete operations then call the bridge:
await this.bridge.put(normalizedPath, stringifiedFile);
...
await this.bridge.delete(normalizedPath);
Local Reproduction
This was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.
Test layout:
- content root:
D:\bugcrowd\tinacms\temp\junction-repro4 - allowed collection path:
content/posts - junction inside collection:
content/posts/pivot -> D:\bugcrowd\tinacms\temp\junction-repro4\outside - file outside content root:
outside\secret.txt
Tina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.
Observed result:
{
"graphqlBridge": {
"collectionPath": "content/posts",
"requestedRelativePath": "pivot/owned.md",
"validatedRealPath": "content\\posts\\pivot\\owned.md",
"bridgeResolvedPath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\content\\posts\\pivot\\owned.md",
"bridgeRead": "TOP_SECRET_FROM_OUTSIDE\\r\\n",
"outsideGraphqlWriteExists": true,
"outsideGraphqlWriteContents": "GRAPHQL_ESCAPE"
}
}
That is the critical point:
- the path was accepted as inside
content/posts - the bridge read
outside\secret.txt - the bridge wrote
outside\owned.md
So the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.
Resources
packages/@tinacms/graphql/src/database/bridge/filesystem.tspackages/@tinacms/graphql/src/database/index.tspackages/@tinacms/graphql/src/resolver/index.ts
Impact
- Arbitrary file read/write outside the configured content root
- Potential delete outside the configured content root via the same
assertWithinBase()gap indelete() - Breaks the assumptions of the recent path-traversal fixes because only lexical traversal is blocked
- Practical attack chains where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations
The exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-34604 has a CVSS score of 7.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.2.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The containment check needs to compare canonical filesystem paths, not just string-normalized paths.
For example:
- resolve the base with
fs.realpath() - resolve the candidate path's parent with
fs.realpath() - reject any request whose real target path escapes the real base
- for write operations, carefully canonicalize the nearest existing parent directory before creating the final file
In short: use realpath-aware containment checks for every filesystem sink, not path.resolve(...).startsWith(...) alone.
Frequently Asked Questions
- What is CVE-2026-34604? CVE-2026-34604 is a high-severity path traversal vulnerability in @tinacms/graphql (npm), affecting versions <= 2.2.0. It is fixed in 2.2.2. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-34604? CVE-2026-34604 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @tinacms/graphql are affected by CVE-2026-34604? @tinacms/graphql (npm) versions <= 2.2.0 is affected.
- Is there a fix for CVE-2026-34604? Yes. CVE-2026-34604 is fixed in 2.2.2. Upgrade to this version or later.
- Is CVE-2026-34604 exploitable, and should I be worried? Whether CVE-2026-34604 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-34604 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-34604? Upgrade
@tinacms/graphqlto 2.2.2 or later.