TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
Description
TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session.
Fixed in #7056 by allow-listing trusted origins and verifying event.source (isFromAdmin, isFromTrustedPreviewOrigin), and by posting only to explicit target origins (never "*").
Note: the rich-text URL-sanitization issue previously bundled here has been split into its own advisory (GHSA-2vcc-5v34-9jc8) so each vulnerability can receive a distinct CVE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: < 2.5.6
Patches
Vulnerability mechanics
Root cause
"Missing origin and source validation on window message event handlers allows cross-origin message forgery."
Attack vector
An attacker who can induce a victim to visit a malicious page (or who controls a window in an opener/iframe relationship with a Tina admin session) can forge `message` events. Because the handlers did not validate `event.origin` or `event.source`, the attacker can drive the editor overlay, inject arbitrary preview content into the iframe, or intercept/forge the OAuth popup channel. This could allow session takeover or unauthorized content manipulation.
Affected code
The vulnerability spans three message-listener sites in TinaCMS: the `useTina` overlay handler (`packages/tinacms/src/react.tsx`), the OAuth authentication popup handler (`packages/tinacms/src/auth/authenticate.ts`), and the admin↔preview iframe GraphQL reducer (`packages/@tinacms/app/src/lib/graphql-reducer.ts`). All three acted on `event.data` without verifying `event.origin` or `event.source`, and outbound `postMessage` calls used a wildcard target origin.
What the fix does
The patch introduces helper functions (`isFromTrustedPreviewOrigin`, `postMessageToPreview`) that verify both `event.origin` against an allow-listed origin and `event.source` against the expected peer window before processing any message data. Outbound `postMessage` calls now pass the explicit `targetOrigin` instead of `'*'`. The OAuth handler similarly checks that the message origin matches the frontend URL's origin and that the source is the exact popup window it opened. These changes prevent cross-origin message forgery.
Preconditions
- authThe victim must be logged into a TinaCMS admin session in one browser tab/window.
- networkThe attacker must be able to open a window or iframe that shares a browsing context with the victim's Tina admin (e.g., via a malicious page the victim visits, or an opener relationship).
- configNo additional configuration beyond default TinaCMS setup is required.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.