Path traversal in the Tempo and Loki data source plugins
Summary
| CVE | CVE-2026-10601 |
|---|---|
| State | PUBLISHED |
| Assigner | GRAFANA |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-22 14:16:25 UTC |
| Updated | 2026-07-10 16:16:22 UTC |
| Description | A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the configured backend. |
Risk And Classification
Primary CVSS: v3.1 4.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS: 0.002580000 probability, percentile 0.172090000 (date 2026-07-12)
Problem Types: CWE-22 | CWE-22 CWE-22 | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | [email protected] | Secondary | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| 3.1 | CNA | DECLARED | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Grafana | Grafana OSS | affected 11.6.0 11.6.14 semver | Not specified |
| CNA | Grafana | Grafana OSS | affected 12.2.0 12.2.8 semver | Not specified |
| CNA | Grafana | Grafana OSS | affected 12.3.0 12.3.6 semver | Not specified |
| CNA | Grafana | Grafana OSS | affected 12.4.0 12.4.3 semver | Not specified |
| CNA | Grafana | Grafana OSS | affected 13.0.0 13.0.1 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| grafana.com/security/security-advisories/cve-2026-10601 | [email protected] | grafana.com | Broken Link |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: homb (Researcher) (en)
There are currently no legacy QID mappings associated with this CVE.