CVE-2026-10601

MEDIUM 5.4

Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.

Vendor	grafana
Product	grafana oss
Ecosystems	Monitoring DevTools
Industries	Technology
Published	Jun 22, 2026
Last Updated	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for grafana grafana oss

Be the first to know when new medium vulnerabilities affecting grafana grafana oss are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Grafana / Grafana OSS

11.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

grafana.com: https://grafana.com/security/security-advisories/cve-2026-10601

Credits

homb (Researcher)