CVE Catalog

CVE-2026-21726

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

32th percentile - higher than 32% of all known CVEs

Summary

The CVE-2026-21726 vulnerability allows an attacker to read files by exploiting double encoding in the namespace parameter at the Ruler API endpoint.

Risk Assessment

The organization may be exposed to unauthorized access to sensitive data, potentially leading to privacy breaches and information security issues.

Recommendation

It is recommended to implement additional parameter validation mechanisms and monitor access to API endpoints.

Original NVD description (English source)

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS