CVE-2026-10601
Received Received - Intake
Path Traversal in Grafana Tempo and Loki Datasource Plugins

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Grafana Labs

Description
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-10601
EUVD
EUVD-2026-38242
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
grafana tempo *
grafana loki *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Tempo and Loki datasource plugins, where they construct backend HTTP requests by inserting user-supplied input directly into URL paths without proper sanitization. This lack of sanitization enables path traversal attacks.

A user with Viewer role can exploit this to: (1) capture admin-configured datasource credentials by redirecting requests to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo such as /flush or /shutdown, and (3) exfiltrate internal service data through Loki's CallResource feature which returns full HTTP response bodies.

Impact Analysis

The vulnerability can lead to several impacts including unauthorized access to sensitive admin credentials, unauthorized execution of administrative actions on the Tempo service, and leakage of internal service data.

  • Exposure of admin-configured datasource credentials to attackers.
  • Ability for a Viewer-role user to perform state-changing operations on Tempo, potentially disrupting service.
  • Exfiltration of internal service data via Loki's CallResource, which could lead to data breaches.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10601. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart