Description
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}

Thanks to Prasanth Sundararajan for reporting this vulnerability.
Published: 2026-04-15
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Read arbitrary local files via the Ruler API
Action: Prioritize Patch
AI Analysis

Impact

A double URL‑encoding bypass allows an attacker to trick the Loki namespace validator into performing a single decode that still contains a path traversal sequence. The attacker can then read files through the /loki/api/v1/rules/{namespace} endpoint. The impact is that sensitive files on the host can be exfiltrated, potentially exposing configuration or credential data. The weakness corresponds to improper input validation (CWE-22).

Affected Systems

Grafana Loki deployments that have not yet applied the fix for CVE-2021-36156. The vulnerability is specifically tied to the Ruler API endpoint and applies to any version of Loki before the patched release; no exact version range was supplied in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score is not listed, so public exploitation data is unavailable. The vulnerability is not currently in the CISA KEV catalog. Attack vectors are inferred to be network‑based; an entity with network access to the Ruler API could craft the payload. Exploitation requires only that the attacker can supply a crafted namespace parameter via an HTTP request to the Loki instance.

Generated by OpenCVE AI on April 16, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grafana Loki to a version that includes the CVE‑2021‑36156 patch
  • If immediate upgrade is not possible, isolate the Loki instance from external networks to limit remote access to the Ruler API
  • Configure access controls to restrict who can query the /loki/api/v1/rules/{namespace} endpoint, ensuring only authenticated and authorized users can provide namespace parameters

Generated by OpenCVE AI on April 16, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Wed, 15 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana loki
Vendors & Products Grafana
Grafana loki

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.
Title Loki Path Traversal - CVE-2021-36156 Bypass
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Grafana Loki
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-04-15T20:01:33.375Z

Reserved: 2026-01-05T09:26:06.215Z

Link: CVE-2026-21726

cve-icon Vulnrichment

Updated: 2026-04-15T20:01:29.185Z

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:34.177

Modified: 2026-04-15T20:16:34.177

Link: CVE-2026-21726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses