The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
PUBLISHED5.2
Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access
Affected products
Grafana
Grafana OSS
11.6.0 - AFFECTED
References
GitHub Security Advisories
GHSA-9493-h4f5-633x
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user...
https://github.com/advisories/GHSA-9493-h4f5-633xThe Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-10601Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-10601",
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"dateUpdated": "2026-06-22T15:44:16.125Z",
"dateReserved": "2026-06-02T09:57:26.570Z",
"datePublished": "2026-06-22T13:18:31.531Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA",
"dateUpdated": "2026-06-22T13:18:31.531Z"
},
"datePublic": "2026-06-06T13:55:46.009Z",
"title": "Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access",
"descriptions": [
{
"lang": "en",
"value": "The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies."
}
],
"affected": [
{
"vendor": "Grafana",
"product": "Grafana OSS",
"platforms": [
"Cloud",
"OnPrem"
],
"defaultStatus": "unaffected",
"versions": [
{
"version": "11.6.0",
"status": "affected",
"versionType": "semver"
}
]
}
],
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2026-10601",
"tags": [
"vendor-advisory"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"value": "homb (Researcher)",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T15:44:16.125Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}