CVE-2026-42129

HIGH NVD

CVSS Score 7.7

Severity HIGH

Published Jun 22, 2026

Vendor unknown

Description

The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information.

References

https://grafana.com/security/security-advisories/cve-2026-42129