CVE-2026-10601
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
The Tempo and Loki datasource plugins in Grafana construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, invoke state-changing admin endpoints on Tempo (e.g., /flush, /shutdown), and exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
Risk Assessment
The organization is at risk of leaking sensitive datasource credentials, unauthorized state changes in Tempo (e.g., forced flush or shutdown), and exposure of internal service data, potentially leading to service disruption and data breaches.
Recommendation
Immediately update the Tempo and Loki datasource plugins to a version that includes URL path sanitization. Until updated, restrict datasource access to trusted users and monitor for unusual HTTP requests.
Original NVD description (English source)
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.

