CVE-2026-42129 · Symaro Security Advisory

Description

The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information.

Severity (CVSS)

Base score	7.7
Severity	High
Version	CVSS 3.1
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Provided by	CNA

Affected products

Vendor	Product	Versions
Grafana	Grafana OSS	—

References

https://grafana.com/security/security-advisories/cve-2026-42129 (vendor-advisory)

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.