CVE-2026-29066

Name of the Vulnerable Software and Affected Versions TinaCMS versions prior to 2.1.8

Description TinaCMS is a headless content management system. Before version 2.1.8, the TinaCMS CLI development server configures Vite with server.fs.strict: false, disabling Vite’s built-in filesystem access restriction. This allows an unauthenticated attacker who can reach the development server to read arbitrary files on the host system. The development server is configured in packages/@tinacms/cli/src/next/vite/index.ts. The server enables permissive CORS, potentially facilitating browser-based exploitation like DNS rebinding attacks. An attacker can read any file readable by the server process, including sensitive information like /etc/passwd, /etc/shadow, SSH private keys, and environment variables. This is particularly dangerous in cloud IDEs, Docker/VM setups with port forwarding, misconfigured environments, and systems susceptible to DNS rebinding attacks.

Recommendations Versions prior to 2.1.8 should be updated to version 2.1.8 or later.