Description
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.
Published: 2026-06-22
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Loki datasource plugin allows an authenticated user with Viewer permissions to perform a path traversal that bypasses the plugin’s sandbox and reaches administrative Loki endpoints. Through these endpoints the attacker can read sensitive backend configuration and internal service information, exposing internal data.

Affected Systems

The vulnerability affects Grafana OSS installations that use the Loki datasource plugin. The affected versions are not documented in the advisory; therefore, any Grafana OSS deployment that includes the plugin is potentially exposed until an official fix is applied.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity medium‑to‑high impact risk. The EPSS score of < 1% indicates that exploitation is very unlikely but not impossible, and the vulnerability is not recorded in CISA’s KEV catalog. Exploitation requires only valid Viewer‑role credentials, meaning any authenticated Grafana user who has Viewer permissions could trigger the exploit. An attacker can then view internal Loki configuration data and other service metadata, potentially aiding further attacks or revealing sensitive system architecture.

Generated by OpenCVE AI on July 12, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Grafana OSS to a version that includes the Loki plugin fix or apply the specific patch released by Grafana.
  • Restrict or remove Viewer‑role permissions for users who do not need access to internal data, or convert them to a lower‑privileged role if available.
  • Configure Loki to disable or restrict administrative endpoints or place them behind additional authentication and authorization controls.

Generated by OpenCVE AI on July 12, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information. A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.
Title Path Traversal in Loki Datasource leads to Internal Information Disclosure Path traversal in the Loki data source plugin

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Grafana loki Datasource
Vendors & Products Grafana
Grafana grafana
Grafana loki Datasource

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information.
Title Path Traversal in Loki Datasource leads to Internal Information Disclosure
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}


Subscriptions

Grafana Grafana Loki Datasource
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-07-10T18:44:49.423Z

Reserved: 2026-04-24T15:38:08.067Z

Link: CVE-2026-42129

cve-icon Vulnrichment

Updated: 2026-06-22T15:44:38.223Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T21:30:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')