Path traversal in the Tempo and Loki data source plugins

Medium
Advisory ID:CVE-2026-10601
Published:2026-06-09
Product:Grafana
CVSS Score:5.4
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Fixed Versions:
>=11.6.15
>=12.2.9
>=12.3.7
>=12.4.4
>=13.0.2

Summary

A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the configured backend. Upgrade to a fixed version listed below.