CVE-2026-29066 - Vulnerability Details

- Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

Published: 2026-03-12

Score: 6.2 Medium

EPSS: 3.1% Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs because TinaCMS CLI's development server configures Vite with server.fs.strict set to false before version 2.1.8. This disables Vite's filesystem access restriction, allowing any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. The primary impact is information disclosure that could expose confidential data, credentials, or code, potentially leading to further compromise. The weakness maps to CWE-200 (Information Exposure) and CWE-552 (Unrestricted Input).

Affected Systems

The affected product is the @tinacms:cli command-line interface for Tina, a headless CMS. All installations of TinaCMS CLI prior to version 2.1.8 are affected. The vulnerability is specifically tied to the development server configuration within those versions.

Risk and Exploitability

The CVSS score for this issue is 6.2, indicating a medium severity. The EPSS score is below 1%, implying a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this remotely and without authentication by simply accessing the development server over the network. However, the requirement for the dev server to be exposed makes it less likely a widespread target. Nevertheless, early patching is advised to prevent potential data leaks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

@tinacms

cli

affected

Version	Status	Constraints
`< 2.1.8`	affected	—

Configuration 1 [-]

cpe:2.3:a:ssw:tinacms\/cli:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Tina

Tinacms

100%

Version	Status	Scheme	Platform
`[0,2.1.8)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade TinaCMS CLI to version 2.1.8 or later
Restrict access to the dev server or disable it in production environments
If upgrading is not immediately possible, configure Vite with server.fs.strict = true to re‑enable filesystem restrictions
Monitor and log file read attempts on the dev server for potential abuse

Generated by OpenCVE AI on March 18, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-m48g-4wr2-j2h6	TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0315.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6

History

Fri, 13 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ssw Ssw tinacms\/cli
CPEs		cpe:2.3:a:ssw:tinacms\/cli::::::node.js::*
Vendors & Products		Ssw Ssw tinacms\/cli

Fri, 13 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tina Tina tinacms
Vendors & Products		Tina Tina tinacms

Thu, 12 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
Title		Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI
Weaknesses		CWE-200 CWE-552
References		https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Ssw Tinacms\/cli

Tina Tinacms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-12T16:57:41.393Z

Updated: 2026-03-13T16:27:22.344Z

Reserved: 2026-03-03T20:51:43.482Z

Link: CVE-2026-29066

Vulnrichment

Updated: 2026-03-13T16:27:13.369Z

NVD

Status : Analyzed

Published: 2026-03-12T17:16:50.700

Modified: 2026-03-13T19:57:18.363

Link: CVE-2026-29066

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:48:53Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object