CVE-2026-34604
Published: 01 April 2026
Summary
CVE-2026-34604 is a high-severity Path Traversal (CWE-22) vulnerability in Ssw Tinacms\/Graphql. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of the path traversal flaw in @tinacms/graphql FilesystemBridge, such as patching to version 2.2.2 where symlink/junction resolution is properly implemented.
Mandates validation and sanitization of filesystem path inputs to FilesystemBridge methods like get(), put(), delete(), and glob() to ensure they resolve only to intended root locations, blocking symlink/junction-based traversal.
Enforces approved authorizations for filesystem resource access, requiring mechanisms that resolve actual symlink/junction targets rather than relying on string-based path checks to prevent operations outside the content root.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in public-facing Tina CMS GraphQL FilesystemBridge component (remote network access with file read/write/delete/glob capabilities) directly maps to exploitation of public-facing applications.
NVD Description
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the…
more
allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.
Deeper analysisAI
CVE-2026-34604 is a path traversal vulnerability in the FilesystemBridge component of @tinacms/graphql, part of Tina, a headless content management system. Prior to version 2.2.2, the component performs string-based path containment checks that block basic "../" traversal but fail to resolve symlink or junction targets. If a symlink or junction exists under the allowed content root, paths like "content/posts/pivot/owned.md" are treated as within bounds despite targeting files outside the root, enabling FilesystemBridge methods such as get(), put(), delete(), and glob() to access unintended filesystem locations. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-59 (Improper Link Resolution Before File Access), with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L).
A low-privileged remote attacker (PR:L) can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction required. By leveraging an existing or creatable symlink or junction within the permitted content root, the attacker can pivot operations to read, write, delete, or glob files outside the intended directory, achieving high confidentiality impact (C:H) through unauthorized data access, high integrity impact (I:H) via modifications or deletions, and low availability impact (A:L).
The issue has been addressed in Tina version 2.2.2, as detailed in the GitHub security advisory GHSA-g9c2-gf25-3x67 and the patching commit f124eabaca10dac9a4d765c9e4135813c4830955. Security practitioners should upgrade to version 2.2.2 or later to mitigate the vulnerability.
Details
- CWE(s)