CVE-2026-28793
Published: 12 March 2026
Summary
CVE-2026-28793 is a high-severity Path Traversal (CWE-22) vulnerability in Ssw Tinacms\/Cli. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the path traversal vulnerability by identifying, reporting, and applying the fix available in TinaCMS version 2.1.8.
Implements input validation on user-controlled path segments in media endpoints to ensure resolved paths remain within the configured media directory, preventing traversal attacks.
Enforces approved access authorizations to restrict read and write operations to only the intended media directory, blocking arbitrary filesystem access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in local dev server media endpoints directly enables arbitrary file read (T1005 Data from Local System) and file write operations equivalent to ingress of attacker-controlled content (T1105 Ingress Tool Transfer) with no auth required.
NVD Description
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory.…
more
When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.
Deeper analysisAI
CVE-2026-28793 is a path traversal vulnerability (CWE-22) in the TinaCMS CLI development server, part of Tina, a headless content management system. Versions prior to 2.1.8 expose media endpoints such as /media/list/*, /media/upload/*, and /media/* on a local HTTP server (default port 4001) started by the `tinacms dev` command. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path stays within the configured media directory, enabling attackers to read and write arbitrary files on the filesystem outside the intended directory. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attackers can exploit this vulnerability if they have network access to the local development server, such as on the same machine or local network where `tinacms dev` is running. No privileges or user interaction are required, and exploitation involves sending crafted requests to the vulnerable media endpoints with path traversal payloads (e.g., sequences like ../). Successful exploitation allows arbitrary file read and write operations on the host filesystem, potentially leading to full system compromise depending on the server's privileges and the attacker's goals.
The GitHub security advisory (GHSA-2f24-mg4x-534q) confirms the issue and states that it is fixed in TinaCMS version 2.1.8, recommending users upgrade to this or later versions to mitigate the vulnerability. No additional workarounds are specified in the provided details.
Details
- CWE(s)