TinaCMS allows the creation, updating, and deleting of content documents via GraphQL mutations that accept relative file paths. The system combines these paths with the collection root using path.join() without validating that the resolved path remains inside the intended directory. Because path.join() does not prevent directory traversal, an attacker can supply paths containing '../' sequences to escape the collection boundary. This results in the ability to read or write files outside the intended content area, potentially exposing confidential data or modifying system files. The weakness is identified as CWE-22: Path Traversal.

The vulnerability affects @tinacms:graphql packages in all releases before version 2.1.2. Users running any of these earlier releases are potentially vulnerable. The CPE for affected products is cpe:2.3:a:ssw:tinacms/graphql:*:*:*:*:*:node.js:*:*.

The CVSS score of 6.3 indicates a medium severity vulnerability, and the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to execute GraphQL mutations, implying that an attacker must either be an authenticated user with builder or editor permissions, or that the GraphQL endpoint is otherwise accessible without authentication. The impact could be significant if the attacker gains access to critical files outside the collection directory. Given the moderate CVSS score and low EPSS, the risk is medium, but the potential harm warrants prompt remediation.