Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 10 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information. | A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information. |
| Title | Path Traversal in Loki Datasource leads to Internal Information Disclosure | Path traversal in the Loki data source plugin |
Wed, 24 Jun 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Grafana
Grafana grafana Grafana loki Datasource |
|
| Vendors & Products |
Grafana
Grafana grafana Grafana loki Datasource |
Mon, 22 Jun 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 22 Jun 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-22 |
Mon, 22 Jun 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information. | |
| Title | Path Traversal in Loki Datasource leads to Internal Information Disclosure | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GRAFANA
Published:
Updated: 2026-07-10T18:44:49.423Z
Reserved: 2026-04-24T15:38:08.067Z
Link: CVE-2026-42129
Updated: 2026-06-22T15:44:38.223Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-24T20:41:24Z