CVE-2026-42129
Received Received - Intake
Path Traversal in Grafana Loki Datasource Plugin

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Grafana Labs

Description
The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-42129
EUVD
EUVD-2026-38241
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grafana loki_datasource_plugin *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Loki datasource plugin's callResource handler has a path traversal vulnerability. This means that an authenticated user with Viewer role privileges can bypass the plugin's resource sandbox restrictions.

By exploiting this vulnerability, the user can access administrative Loki endpoints such as /config, /services, and /ready, which are normally restricted.

This unauthorized access allows the extraction of sensitive backend configuration and internal service information.

Impact Analysis

This vulnerability can have significant impacts because it allows an authenticated Viewer-role user to access sensitive backend configuration and internal service information.

Such unauthorized access could lead to exposure of critical system details that might be used for further attacks or exploitation.

The CVSS base score of 7.7 indicates a high severity, emphasizing the potential risk to confidentiality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart