What is CVE-2026-34604?

## Summary `@tinacms/graphql` uses string-based path containment checks in `FilesystemBridge`: - `path.resolve(path.join(baseDir, filepath))` - `startsWith(resolvedBase + path.sep)` That blocks plain `../` traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like `content/posts/pivot/owned.md` is still considered "inside" the base even though the real filesystem target can be outside it. As a result, `FilesystemBridge.get()`, `put()`, `delete()`, and `glob()` can operate on files outside the intended root. ## Details The current bridge validation is: ```ts function assertWithinBase(filepath: string, baseDir: string): string { const resolvedBase = path.resolve(baseDir); const resolved = path.resolve(path.join(baseDir, filepath)); if ( resolved !== resolvedBase && !resolved.startsWith(resolvedBase + path.sep) ) { throw new Error( `Path traversal detected: "${filepath}" escapes the base directory` ); } return resolved; } ``` But the bridge then performs real filesystem I/O on the resulting path: ```ts public async get(filepath: string) { const resolved = assertWithinBase(filepath, this.outputPath); return (await fs.readFile(resolved)).toString(); } public async put(filepath: string, data: string, basePathOverride?: string) { const basePath = basePathOverride || this.outputPath; const resolved = assertWithinBase(filepath, basePath); await fs.outputFile(resolved, data); } public async delete(filepath: string) { const resolved = assertWithinBase(filepath, this.outputPath); await fs.remove(resolved); } ``` This is a classic realpath gap: 1. validation checks the lexical path string 2. the filesystem follows the link target during I/O 3. the actual target can be outside the intended root This is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled `relativePath`, but that validation is also string-based: ```ts const realPath = path.join(collection.path, relativePath); this.validatePath(realPath, collection, relativePath); ``` Database write and delete operations then call the bridge: ```ts await this.bridge.put(normalizedPath, stringifiedFile); ... await this.bridge.delete(normalizedPath); ``` ## Local Reproduction This was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems. Test layout: - content root: `D:\bugcrowd\tinacms\temp\junction-repro4` - allowed collection path: `content/posts` - junction inside collection: `content/posts/pivot -> D:\bugcrowd\tinacms\temp\junction-repro4\outside` - file outside content root: `outside\secret.txt` Tina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction. Observed result: ```json { "graphqlBridge": { "collectionPath": "content/posts", "requestedRelativePath": "pivot/owned.md", "validatedRealPath": "content\\posts\\pivot\\owned.md", "bridgeResolvedPath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\content\\posts\\pivot\\owned.md", "bridgeRead": "TOP_SECRET_FROM_OUTSIDE\\r\\n", "outsideGraphqlWriteExists": true, "outsideGraphqlWriteContents": "GRAPHQL_ESCAPE" } } ``` That is the critical point: - the path was accepted as inside `content/posts` - the bridge read `outside\secret.txt` - the bridge wrote `outside\owned.md` So the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree. ## Impact - **Arbitrary file read/write outside the configured content root** - **Potential delete outside the configured content root** via the same `assertWithinBase()` gap in `delete()` - **Breaks the assumptions of the recent path-traversal fixes** because only lexical traversal is blocked - **Practical attack chains** where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations The exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant. ## Recommended Fix The containment check needs to compare canonical filesystem paths, not just string-normalized paths. For example: 1. resolve the base with `fs.realpath()` 2. resolve the candidate path's parent with `fs.realpath()` 3. reject any request whose real target path escapes the real base 4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file In short: use realpath-aware containment checks for every filesystem sink, not `path.resolve(...).startsWith(...)` alone. ## Resources - `packages/@tinacms/graphql/src/database/bridge/filesystem.ts` - `packages/@tinacms/graphql/src/database/index.ts` - `packages/@tinacms/graphql/src/resolver/index.ts`

What is the severity of CVE-2026-34604?

CVE-2026-34604 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-34604?

No known public exploits are currently available for CVE-2026-34604.

Is there a patch available for CVE-2026-34604?

Yes, patches are available for CVE-2026-34604. Check the vendor advisories for update instructions.

CVE-2026-34604 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

@tinacms/graphql uses string-based path containment checks in FilesystemBridge:

path.resolve(path.join(baseDir, filepath))
startsWith(resolvedBase + path.sep)

That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it.

As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root.

Details

The current bridge validation is:

function assertWithinBase(filepath: string, baseDir: string): string {
  const resolvedBase = path.resolve(baseDir);
  const resolved = path.resolve(path.join(baseDir, filepath));
  if (
    resolved !== resolvedBase &&
    !resolved.startsWith(resolvedBase + path.sep)
  ) {
    throw new Error(
      `Path traversal detected: "${filepath}" escapes the base directory`
    );
  }
  return resolved;
}

But the bridge then performs real filesystem I/O on the resulting path:

public async get(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  return (await fs.readFile(resolved)).toString();
}

public async put(filepath: string, data: string, basePathOverride?: string) {
  const basePath = basePathOverride || this.outputPath;
  const resolved = assertWithinBase(filepath, basePath);
  await fs.outputFile(resolved, data);
}

public async delete(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  await fs.remove(resolved);
}

This is a classic realpath gap:

validation checks the lexical path string
the filesystem follows the link target during I/O
the actual target can be outside the intended root

This is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled , but that validation is also string-based:

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com

Ready for Agentic Automated Testing?

CVE-2026-34604

Summary

Details

Local Reproduction

Impact

Recommended Fix

Resources