CVE-2026-33949

@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files

Description

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.

INFO

Published Date :

2026-04-01T15:54:12.351Z

Last Modified :

2026-04-03T16:44:46.487Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-33949 vulnerability.

Vendors	Products
Ssw	Tinacms\/graphql
Tina	Tinacms

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33949.

URL	Resource
https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact