CVE-2026-33949: @tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files

March 30, 2026

A Path Traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build scripts.

References

github.com/advisories/GHSA-v9p7-gf3q-h779
github.com/tinacms/tinacms
github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779
nvd.nist.gov/vuln/detail/CVE-2026-33949

Code Behaviors & Features

Detect and mitigate CVE-2026-33949 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →