CVE-2026-42129
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk32th percentile - higher than 32% of all known CVEs
Summary
A vulnerability in the Loki data source plugin allows a user with Viewer permissions to exploit a path traversal to reach administrative Loki endpoints. This enables reading sensitive backend configuration and internal service information.
Risk Assessment
The organization risks exposure of confidential configuration data and internal service details, which could facilitate further attacks on systems monitored by Loki.
Recommendation
Immediately update the Loki data source plugin to the latest patched version. Until the update is applied, restrict access to the Grafana dashboard to trusted users only.
Original NVD description (English source)
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.

