CVE-2026-24125 is a path traversal vulnerability classified under CWE-22 found in the @tinacms GraphQL API component of TinaCMS, a headless content management system. Prior to version 2.1.2, TinaCMS allowed users to create, update, and delete content documents by specifying relative file paths (relativePath, newRelativePath) through GraphQL mutations. These user-supplied paths were concatenated with the collection root directory path using Node.js's path.join() function. However, path.join() does not inherently prevent directory traversal attacks, as it simply concatenates paths and normalizes them without restricting the resulting path to remain within a specific directory. Consequently, an attacker could supply relative paths containing '../' sequences to traverse outside the intended collection directory and access or manipulate files elsewhere on the server's filesystem. This vulnerability requires the attacker to have some level of privileges (PR:L) to perform GraphQL mutations but does not require user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as unauthorized file access or modification could occur. The issue was publicly disclosed on March 12, 2026, with a CVSS v3.1 base score of 6.3, indicating medium severity. No known exploits have been reported in the wild. The fix implemented in version 2.1.2 involves validating that the resolved file paths remain strictly within the collection root directory before performing file operations, effectively mitigating the directory traversal risk.

This vulnerability can allow authenticated users with mutation privileges to escape the intended content directory boundaries and access or modify arbitrary files on the server hosting TinaCMS. Potential impacts include unauthorized disclosure of sensitive files, tampering with critical configuration or content files, and deletion or corruption of data, which could disrupt content management workflows or compromise the integrity of the hosted content. While exploitation requires authentication, the ability to traverse directories can lead to privilege escalation or lateral movement within the application environment. Organizations relying on TinaCMS for managing web content or digital assets may face data breaches, content defacement, or service disruption if this vulnerability is exploited. The impact is particularly significant for organizations hosting sensitive or regulated content, as unauthorized file access could violate compliance requirements and damage reputation.

Organizations should upgrade TinaCMS to version 2.1.2 or later, where this vulnerability is patched. Until upgrading, administrators should restrict GraphQL mutation access to trusted users only and implement strict access controls around content management interfaces. Code audits should be performed to ensure that any file path manipulations validate that resolved paths remain within authorized directories, using secure path normalization and whitelist checks. Employ runtime monitoring to detect unusual file access patterns or unauthorized directory traversal attempts. Additionally, consider isolating the TinaCMS environment with least privilege file system permissions to limit the impact of potential exploitation. Regular backups of content and configuration files are recommended to enable recovery in case of data tampering or deletion.