Impact
The Tempo and Loki data‑source plugins for Grafana OSS allow a user with Viewer permissions to craft requests that reach unintended backend endpoints. This flaw can expose stored data‑source credentials, leak internal HTTP responses, or trigger administrative actions on the backend service, thereby compromising confidentiality and integrity of data.
Affected Systems
Any Grafana OSS installation that includes the Tempo and Loki plugins is potentially affected. The advisory does not list specific plugin or Grafana versions, so administrators should assume the vulnerability exists in all unpatched instances of these plugins.
Risk and Exploitability
The CVSS score of 5.4 indicates moderate severity while the EPSS score of less than 1% and absence from the CISA KEV catalog suggest that the vulnerability is not widely exploited at present. The attack requires a legitimate Viewer‑level account that can send API requests through the Grafana interface; by manipulating request parameters a threat actor can reach protected backend endpoints, potentially exfiltrating credentials or initiating state‑changing operations on the Tempo or Loki services.
OpenCVE Enrichment