Path traversal in the Loki data source leads to internal information disclosure

High
Advisory ID:CVE-2026-42129
Published:2026-06-09
Product:Grafana
CVSS Score:7.7
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Fixed Versions:
>=11.6.15
>=12.2.9
>=12.3.7
>=12.4.4
>=13.0.2

Summary

A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information. Upgrade to a fixed version listed below.