CVE-2026-29066: CVE-2026-29066: Arbitrary File Read in TinaCMS CLI via Permissive Vite Configuration

CVE-2026-29066: Arbitrary File Read in TinaCMS CLI via Permissive Vite Configuration Vulnerability ID: CVE-2026-29066 CVSS Score: 6.2 Published: 2026-03-12 The @tinacms/cli package prior to version 2.1.8 contains a medium-severity vulnerability that allows unauthenticated local or adjacent attackers to read arbitrary files from the host filesystem. This occurs due to an insecure Vite development server configuration that explicitly disables filesystem strict boundaries. TL;DR TinaCMS CLI versions prior to 2.1.8 explicitly disable Vite's strict filesystem checks, enabling an unauthenticated arbitrary file read vulnerability via the development server's / @fs / endpoint. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-552 / CWE-200 Attack Vector : Local / Adjacent Network CVSS Score : 6.2 Impact : High Confidentiality (Arbitrary File Read) Exploit Status : Proof of Concept (PoC) Available KEV Status : Not Listed Affected Systems TinaCMS CLI (< 2.1.8) Vite Development Server (Embedd