CVE-2026-10601

CVSS Score & Metrics

Base Score

5.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L                                    

Vulnerability Description

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.

Vulnerability Details

Published Date

June 22, 2026

Last Modified

June 22, 2026

Source

NVD

Vendor

Grafana

Product

Grafana OSS

External References

https://grafana.com/security/security-advisories/cve-2026-10601

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment