CVE-2026-34603 HIGH

CVE-2026-34603: @tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions

Vendor Tinacms
Product tinacms
Weakness CWE-22 · Path traversal
Published April 1, 2026
Last update April 1, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as "inside" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2.

Key dates

02Disclosure timeline

April 1, 2026 CVE published
April 1, 2026 Record updated