A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.
History

Fri, 10 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information. A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.
Title Path Traversal in Loki Datasource leads to Internal Information Disclosure Path traversal in the Loki data source plugin

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Grafana loki Datasource
Vendors & Products Grafana
Grafana grafana
Grafana loki Datasource

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information.
Title Path Traversal in Loki Datasource leads to Internal Information Disclosure
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2026-06-22T13:18:27.365Z

Updated: 2026-07-13T13:27:21.189Z

Reserved: 2026-04-24T15:38:08.067Z

Link: CVE-2026-42129

cve-icon Vulnrichment

Updated: 2026-06-22T15:44:38.223Z

cve-icon NVD

No data.

cve-icon Redhat

No data.