CVE-2026-24125

Name of the Vulnerable Software and Affected Versions TinaCMS versions prior to 2.1.2

Description TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. An authenticated user with document mutation permissions can create content files, move or rename files, delete content files, and read file contents outside collection boundaries. Several constraints limit the practical impact of this issue, including schema validation, required authentication, and Git tracking of file operations. The vulnerability can be exploited through GraphQL mutations such as createDocument, updateDocument, deleteDocument, and createFolder. The following API endpoints are involved: /api/graphql. The vulnerable parameters are relativePath and newRelativePath.

Recommendations Update TinaCMS to version 2.1.2 or later.