CVE-2026-29066: TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

March 12, 2026

The TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite’s built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system

References

github.com/advisories/GHSA-m48g-4wr2-j2h6
github.com/tinacms/tinacms
github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6
nvd.nist.gov/vuln/detail/CVE-2026-29066

Code Behaviors & Features

Detect and mitigate CVE-2026-29066 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →