CVE-2026-21726
Path Traversal in Grafana Loki Ruler API Allows File Access
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | loki | to 3.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21726 is a medium severity vulnerability affecting Grafana Loki. It is a bypass of a previous fix (CVE-2021-36156) that addressed a path traversal issue in the Ruler API endpoint `/loki/api/v1/rules/{namespace}`. The original fix validated the "namespace" parameter after a single URL decode to prevent path traversal. However, this vulnerability allows an attacker to use double URL encoding to bypass that validation and perform path traversal attacks.
This means an attacker can read arbitrary files on the system by exploiting the Ruler API endpoint without needing any privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability allows an attacker to read arbitrary files on the system running Grafana Loki by exploiting the Ruler API endpoint. Since no privileges or user interaction are required, it can be exploited remotely over the network.
The impact is limited to confidentiality (C:L) as per the CVSS score, meaning sensitive information could be exposed, but integrity and availability are not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a path traversal attack via double URL encoding on the namespace parameter at the Ruler API endpoint `/loki/api/v1/rules/{namespace}` in Grafana Loki.
To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the `/loki/api/v1/rules/` endpoint for suspicious double URL encoded sequences that attempt path traversal.
- Use network traffic inspection tools (e.g., Wireshark, tcpdump) to filter requests containing double encoded path traversal patterns such as `%252e%252e` (double encoded `..`).
- On the server, check web server or application logs for requests to `/loki/api/v1/rules/` with unusual encoded characters or sequences.
- Example command to search logs for double encoded traversal attempts: `grep -E '%252e%252e' /var/log/grafana/loki.log`
- Example command to monitor live traffic for suspicious requests: `tcpdump -A -s 0 'tcp port 3100 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '%252e%252e'` (adjust port as needed)
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Grafana Loki to version 3.6.4 or later, where this vulnerability is fixed.
Until the upgrade can be applied, consider implementing network-level protections such as blocking or filtering requests with suspicious double URL encoded sequences targeting the `/loki/api/v1/rules/` endpoint.
Additionally, monitor logs and network traffic for exploitation attempts and respond accordingly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to read arbitrary files on the affected system by bypassing input validation through double URL encoding. Such unauthorized access to files could potentially expose sensitive or personal data.
Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls to prevent unauthorized access to personal or protected health information.
Therefore, if exploited, this vulnerability could negatively impact compliance with common standards and regulations by enabling data breaches or unauthorized data disclosure.