Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Sun, 12 Jul 2026 03:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 |
Fri, 10 Jul 2026 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access | Path traversal in the Tempo and Loki data source plugins |
Fri, 10 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Path traversal in the Tempo and Loki data source plugins | Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access |
Fri, 10 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies. | A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the configured backend. |
| Title | Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access | Path traversal in the Tempo and Loki data source plugins |
Wed, 24 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Grafana
Grafana grafana |
|
| Vendors & Products |
Grafana
Grafana grafana |
Tue, 23 Jun 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Mon, 22 Jun 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 22 Jun 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 CWE-22 |
Mon, 22 Jun 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies. | |
| Title | Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GRAFANA
Published:
Updated: 2026-07-13T13:27:01.125Z
Reserved: 2026-06-02T09:57:26.570Z
Link: CVE-2026-10601
Updated: 2026-06-22T15:44:10.844Z
No data.
OpenCVE Enrichment
Updated: 2026-07-13T06:00:04Z