Executive Summary

A path traversal vulnerability in the Grafana Loki datasource plugin allows an authenticated Viewer-role user to escape the plugin's resource sandbox and access administrative Loki endpoints. This vulnerability has a CVSS score of 7.7 and is considered HIGH severity.

Technical Analysis

The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can exploit this vulnerability to access administrative Loki endpoints (e.g., /config, /services, /ready) and extract sensitive backend configuration and internal service information. The vulnerability is caused by insufficient input validation in the callResource handler.

How It Gets Exploited

An authenticated Viewer-role user with access to the Grafana OSS instance can exploit this vulnerability. The attacker would send a crafted request to the callResource handler, manipulating the request path to escape the plugin's resource sandbox. For example, the attacker might send a request with a maliciously crafted path parameter that includes ../ characters, allowing them to traverse the directory structure and access administrative Loki endpoints. When the flaw is triggered, the attacker can extract sensitive backend configuration and internal service information.

Impact Assessment

Grafana OSS on-premises installations are affected. An attacker can achieve high confidentiality impact, potentially extracting sensitive backend configuration and internal service information. The CVSS score for this vulnerability is 7.7, indicating a HIGH severity level.

Recommended Actions

Update Grafana OSS to a patched version (Grafana OSS version with the fix is not specified in the source data, so check the vendor's advisory for the patched version). Implement proper input validation and sanitization for the callResource handler. Monitor Loki datasource plugin logs for suspicious activity. Block access to administrative Loki endpoints for users with Viewer roles.

Sources

  • National Vulnerability Database (NVD)
  • Grafana security advisory: https://grafana.com/security/security-advisories/cve-2026-42129