129 matches found
CVE-2026-10601 Path traversal in the Tempo and Loki data source plugins
A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...
CVE-2026-10601
A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...
CVE-2026-42129 Path traversal in the Loki data source plugin
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...
CVE-2026-42129
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...
CVE-2026-42129
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...
EUVD-2026-38241
The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints e.g. /config, /services, /ready to extract sensitive backend configuration and internal...
CVE-2026-42129
The CVE describes a path traversal vulnerability in the Loki datasource plugin (callResource handler). An authenticated Viewer-role user can escape the plugin’s resource sandbox and reach administrative Loki endpoints (for example, /config, /services, /ready) to exfiltrate sensitive backend confi...
CVE-2026-42129 Path traversal in the Loki data source plugin
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...
PT-2026-51303
Name of the Vulnerable Software and Affected Versions Loki datasource plugin affected versions not specified Description The callResource handler in the Loki datasource plugin contains a path traversal flaw. This allows an authenticated user with a Viewer role to escape the resource sandbox and...
PT-2026-51299
Name of the Vulnerable Software and Affected Versions Tempo datasource plugin affected versions not specified Loki datasource plugin affected versions not specified Description These plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization,...
Linux Distros Unpatched Vulnerability : CVE-2026-10601
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path...
GHSA-CP6G-7HQX-QXHP vulnerabilities
Vulnerabilities for packages: bento, opentelemetry-collector-contrib, grafana, migrate, slsa-verifier, argo-cd, promxy, grafana-mimir, vcluster, kubeflow-pipelines, teleport, ferretdb, cortex, dapr, grafana-pyroscope, kubescape-operator, ksops, thanos, tetragon, kyverno, amazon-cloudwatch-agent,...
CVE-2026-2303 vulnerabilities
Vulnerabilities for packages: bento, opentelemetry-collector-contrib, grafana, migrate, slsa-verifier, argo-cd, promxy, grafana-mimir, vcluster, kubeflow-pipelines, teleport, ferretdb, cortex, dapr, grafana-pyroscope, kubescape-operator, ksops, thanos, tetragon, kyverno, amazon-cloudwatch-agent,...
CVE-2026-21726
A flaw was found in Loki. A remote attacker can exploit a path traversal vulnerability by using double encoding on the namespace parameter after a single URL decode. This allows the attacker to read arbitrary files at the Ruler API endpoint, leading to information disclosure...
SUSE CVE-2026-21726
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
Grafana Loki Path Traversal - CVE-2021-36156 Bypass
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
GHSA-497X-RRR9-68JP Grafana Loki Path Traversal - CVE-2021-36156 Bypass
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
EUVD-2026-23100
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
CVE-2026-21726
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
CVE-2026-21726 Loki Path Traversal - CVE-2021-36156 Bypass
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...