CVE-2026-10601
published 2026-06-22CVE-2026-10601: The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path…
PriorityP426medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.30%
22.0th percentile
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana_oss | — | — |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| rhacm2 | acm-grafana-rhel9 | — | — |
| rhceph | grafana-rhel10 | — | — |
| rhceph | grafana-rhel9 | — | — |
| rhceph | rhceph-5-dashboard-rhel8 | — | — |
| rhceph | rhceph-6-dashboard-rhel9 | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal.
ghsa_unreviewed·2026-06-22
CVE-2026-10601 [MEDIUM] The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal.
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
Red Hat
grafana: tempo: loki: Tempo and Loki Datasource Plugins: Information disclosure and unauthorized actions via path traversal
vendor_redhat·2026-06-22·CVSS 5.4
CVE-2026-10601 [MEDIUM] CWE-22 grafana: tempo: loki: Tempo and Loki Datasource Plugins: Information disclosure and unauthorized actions via path traversal
grafana: tempo: loki: Tempo and Loki Datasource Plugins: Information disclosure and unauthorized actions via path traversal
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
A flaw was found in the Tempo and Loki datasource plugins. A remote attacker with a Viewer role could exploit a path traversal vulnerability by manipulating user-su
No detection rules found.
No public exploits indexed.
2026-06-22
Published