Path traversal in the Loki data source leads to internal information disclosure
High
| Advisory ID: | CVE-2026-42129 |
| Published: | 2026-06-09 |
| Product: | Grafana |
| CVSS Score: | 7.7 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| Fixed Versions: | >=11.6.15 >=12.2.9 >=12.3.7 >=12.4.4 >=13.0.2 |
Summary
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information. Upgrade to a fixed version listed below.