File Read Vulnerability in TinaCMS Affecting Versions Prior to 2.1.8
CVE-2026-29066

6.2MEDIUM

Key Information:

Vendor

@tinacms

Status
Vendor
CVE Published:
12 March 2026

What is CVE-2026-29066?

TinaCMS, a headless content management system, exhibits a file read vulnerability due to its dev server configuration setting ‘server.fs.strict’ to false prior to version 2.1.8. This misconfiguration allows unauthenticated attackers to access the development server, enabling them to read arbitrary files on the host system. Upgrade to TinaCMS version 2.1.8 or later to mitigate this risk and enhance your system's security.

Affected Version(s)

cli < 2.1.8

References

CVSS V3.1

Score:
6.2
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.