CVE-2026-29066

MediumPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0468 89.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29066 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Ssw Tinacms\/Cli. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings for the TinaCMS CLI dev server, such as enabling Vite's server.fs.strict to true, directly preventing arbitrary filesystem access.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation by patching to TinaCMS version 2.1.8, which corrects the vulnerable Vite configuration.

CM-7 Least Functionality partial match

prevent

Restricts dev server functionality to the least necessary, prohibiting unrestricted filesystem access exposed by the misconfiguration.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The misconfigured Vite dev server directly enables arbitrary local file reads (T1005 Data from Local System) by unauthenticated attackers reaching the exposed application (T1190 Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read…

arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

Deeper analysisAI

CVE-2026-29066 is a vulnerability in Tina, a headless content management system, affecting versions prior to 2.1.8. The issue resides in the TinaCMS CLI dev server, which configures the Vite development server with server.fs.strict set to false. This disables Vite's built-in filesystem access restrictions, enabling unauthorized file access. The vulnerability is rated with a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-552 (Files or Directories Accessible to External Parties).

An unauthenticated attacker who can reach the dev server can exploit this misconfiguration to read arbitrary files on the host system, potentially exposing sensitive data such as configuration files, source code, or other local resources.

The vulnerability was published on 2026-03-12 and is addressed in TinaCMS version 2.1.8, which corrects the Vite configuration. For detailed mitigation guidance, refer to the GitHub Security Advisory at https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6.