Impact
The vulnerability in the Loki datasource plugin allows an authenticated user with Viewer permissions to perform a path traversal that bypasses the plugin’s sandbox and reaches administrative Loki endpoints. Through these endpoints the attacker can read sensitive backend configuration and internal service information, exposing internal data.
Affected Systems
The vulnerability affects Grafana OSS installations that use the Loki datasource plugin. The affected versions are not documented in the advisory; therefore, any Grafana OSS deployment that includes the plugin is potentially exposed until an official fix is applied.
Risk and Exploitability
The CVSS score of 7.7 indicates a high severity medium‑to‑high impact risk. The EPSS score of < 1% indicates that exploitation is very unlikely but not impossible, and the vulnerability is not recorded in CISA’s KEV catalog. Exploitation requires only valid Viewer‑role credentials, meaning any authenticated Grafana user who has Viewer permissions could trigger the exploit. An attacker can then view internal Loki configuration data and other service metadata, potentially aiding further attacks or revealing sensitive system architecture.
OpenCVE Enrichment