Path Traversal Issue in Loki Datasource Plugin by Grafana
CVE-2026-42129

7.7HIGH

Key Information:

Vendor: Grafana
Status: Grafana Oss
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-42129?

The Loki datasource plugin is affected by a path traversal vulnerability in its callResource handler. This flaw allows authenticated users with Viewer-role access to bypass the plugin's resource sandbox restrictions. As a result, they can gain unauthorized access to sensitive administrative Loki endpoints such as /config, /services, and /ready, thereby compromising sensitive backend configurations and exposing critical internal service information.

References

https://grafana.com/security/security-advisories/cve-2026...

vendor-advisory

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

khanmarshal (Researcher)

CVE-2026-42129 Data

JSON