CVE-2026-10601 · Symaro Security Advisory

Description

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.

Severity (CVSS)

Base score	5.4
Severity	Medium
Version	CVSS 3.1
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Provided by	CNA

Affected products

Vendor	Product	Versions
Grafana	Grafana OSS	11.6.0

References

https://grafana.com/security/security-advisories/cve-2026-10601 (vendor-advisory)

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.