CVE-2026-21726
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk32th percentile - higher than 32% of all known CVEs
Summary
The CVE-2026-21726 vulnerability allows an attacker to read files by exploiting double encoding in the namespace parameter at the Ruler API endpoint.
Risk Assessment
The organization may be exposed to unauthorized access to sensitive data, potentially leading to privacy breaches and information security issues.
Recommendation
It is recommended to implement additional parameter validation mechanisms and monitor access to API endpoints.
Original NVD description (English source)
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.

