CVE-2026-10601 - Vulnerability Details

Description

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.

Published: 2026-06-22

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Tempo and Loki datasource plugins build backend HTTP requests by directly inserting user-supplied data into URL paths without sanitization. This flaw allows a Viewer‑role user to perform path traversal, exposing administrator‑configured credentials stored in secureJsonData, triggering state‑changing admin endpoints such as /flush and /shutdown on Tempo, and retrieving full HTTP responses from Loki’s CallResource endpoint. Consequently, an attacker with Viewer access can obtain privileged credentials, alter the behavior of backend services, and exfiltrate internal data, compromising confidentiality and integrity.

Affected Systems

Any Grafana OSS installation that includes the Tempo and Loki datasource plugins is potentially affected. The advisory does not enumerate specific plugin or Grafana versions, so administrators should verify that their instances are running the patched releases provided by Grafana. If the minor version number is missing, treat the vulnerability as present in all unpatched distributions of these plugins.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. EPSS is not provided, and the vulnerability is not listed in CISA KEV, suggesting no widespread or actively exploited incidents are known. The attack requires a legitimate Viewer‑level account that can interact with the Grafana UI; however, because path traversal operates within the backend request context, an attacker can potentially leverage this to exfiltrate confidential settings and perform unintended administrative actions. Given the moderate risk score and lack of documented exploitation, organizations should assess the impact of their current Grafana rollout and act promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Grafana

Grafana OSS

unaffected

Version	Status	Constraints
`11.6.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Grafana OSS to the latest version that contains the fix for CVE‑2026‑10601. This patch sanitizes user input and restricts access to admin‑only endpoints in the Tempo and Loki plugins.
If an upgrade is not immediately possible, restrict Viewer roles from accessing or modifying the Tempo and Loki datasource configurations, or temporarily disable the plugins until the patch is applied.
Validate that the backend HTTP requests made by your plugins do not contain untrusted input, and consider configuring a network or application firewall rule that blocks outbound traffic from Grafana to internal endpoints used by Tempo/Loki unless explicitly permitted.
Monitor for suspicious API calls to Tempo’s /flush or /shutdown and to Loki’s CallResource endpoint, and alert on unexpected activity.

Generated by OpenCVE AI on June 22, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://grafana.com/security/security-advisories/cve-2026-10601

History

Mon, 22 Jun 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-22

Mon, 22 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
Title		Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access
References		https://grafana.com/security/security-advisories/cve-2026-10601
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2026-06-22T13:18:31.531Z

Updated: 2026-06-22T13:18:31.531Z

Reserved: 2026-06-02T09:57:26.570Z

Link: CVE-2026-10601

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T14:30:05Z

Weaknesses

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object