CVE-2026-33949 - Vulnerability Details

- @tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files

Description

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.

Published: 2026-04-01

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A path traversal flaw in the @tinacms/graphql GraphQL API enables unauthenticated attackers to craft mutation requests that write or overwrite any file in the project root, potentially replacing critical configuration files or tampering build scripts to run arbitrary code. This weakness aligns with CWE‑22 and CWE‑73.

Affected Systems

The vulnerable component is the @tinacms/graphql module used in Tina CMS, a headless content management system built on Node.js. Any installation of this package that is running a version earlier than 2.2.2 is affected. The flaw impacts any deployment that exposes the GraphQL endpoint of Tina CMS to unauthenticated traffic.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of < 1% reflects a currently low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires no authentication and relies on sending a crafted GraphQL mutation; thus the attack surface is wide but the impact is severe if achieved.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

tinacms

affected

Version	Status	Constraints
`< 2.2.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:ssw:tinacms\/graphql:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Tina

Tinacms

89%

Version	Status	Scheme	Platform
`[0,2.2.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade @tinacms/graphql to version 2.2.2 or later.
Verify that the GraphQL endpoint is not publicly exposed to unauthenticated users.
If an immediate update is not possible, restrict access to GraphQL mutations to authenticated users or block the relativePath parameter if feasible.
Monitor the integrity of critical application files to detect unauthorized changes.

Generated by OpenCVE AI on April 7, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v9p7-gf3q-h779	@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779

History

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ssw Ssw tinacms\/graphql
CPEs		cpe:2.3:a:ssw:tinacms\/graphql::::::node.js::*
Vendors & Products		Ssw Ssw tinacms\/graphql

Fri, 03 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tina Tina tinacms
Vendors & Products		Tina Tina tinacms

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.
Title		@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files
Weaknesses		CWE-22 CWE-73
References		https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Ssw Tinacms\/graphql

Tina Tinacms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-01T15:54:12.351Z

Updated: 2026-04-03T16:44:46.487Z

Reserved: 2026-03-24T19:50:52.105Z

Link: CVE-2026-33949

Vulnrichment

Updated: 2026-04-03T16:44:42.991Z

NVD

Status : Analyzed

Published: 2026-04-01T17:28:39.507

Modified: 2026-04-07T19:17:35.867

Link: CVE-2026-33949

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:57:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object