CVE-2026-42129 - Grafana Loki datasource callResource traversal
CVE-2026-42129 affects Grafana’s Loki datasource callResource handling. An
authenticated user with Viewer access can escape the intended plugin resource
sandbox and call administrative Loki endpoints such as /config, /services,
and /ready, exposing backend configuration and internal service details.
Exposure exists when the repository deploys a vulnerable Grafana release and Viewer-role users can query a Loki datasource that fronts sensitive internal infrastructure.
When to use it
- A repository deploys Grafana OSS/Enterprise with Loki datasources and controlled Helm, Docker, Kustomize, Terraform, or provisioning artifacts.
- Viewer-role users, service accounts, support users, tenants, or agents can access dashboards or Explore views backed by Loki.
- Grafana can reach Loki administrative endpoints such as
/config,/services, or/readythat should not be exposed through datasource queries. - You need a bounded PR or triage note that upgrades Grafana and contains datasource/admin-endpoint exposure without querying live sensitive endpoints.
Inputs
- Grafana image/package/chart versions, datasource provisioning files, Helm values, dashboard/folder permissions, RBAC/team mappings, network policies, proxy config, SBOMs, generated manifests, and runbooks.
- Loki datasource inventory, Viewer/service-account access, admin endpoint reachability, internal topology sensitivity, audit log ownership, and rollout owners.
- Available config render, image/version checks, authz tests, dashboard/RBAC policy checks, container build, SBOM, and dependency/security scans.
Affected versions
| Product | Vulnerable versions | Fixed versions |
|---|---|---|
Grafana OSS |
< 11.6.15 |
11.6.15+ |
Grafana OSS |
>= 12.2.0, < 12.2.9 |
12.2.9+ |
Grafana OSS |
>= 12.3.0, < 12.3.7 |
12.3.7+ |
Grafana OSS |
>= 12.4.0, < 12.4.4 |
12.4.4+ |
Grafana OSS |
>= 13.0.0, < 13.0.2 |
13.0.2+ |
Indicator-of-exposure
- The repository deploys one of the vulnerable Grafana trains above.
- A Loki datasource is configured and reachable from Grafana.
- Viewer-role users can access dashboards or Explore views backed by that datasource.
- Loki administrative endpoints expose sensitive configuration, service-state, or internal topology data.
Quick checks:
rg -n "grafana|loki|datasources|Viewer|role|Explore|callResource" .
rg -n "loki|datasources.yaml|grafana.ini|viewers_can_edit|role" helm charts k8s deploy docker-compose*.yml provisioning conf
Windows:
rg -n "grafana|loki|datasources|Viewer|role|Explore|callResource" .
rg -n "loki|datasources.yaml|grafana.ini|viewers_can_edit|role" helm charts k8s deploy docker-compose*.yml provisioning conf
Do not prove exposure by requesting sensitive Loki admin endpoints from a live production Grafana instance.
Remediation strategy
- Upgrade Grafana to a fixed release train:
11.6.15+,12.2.9+,12.3.7+,12.4.4+, or13.0.2+, depending on the branch you maintain. - Limit who can access affected Loki datasources while patching.
- Review whether Loki admin endpoints are reachable from Grafana at all; if not needed, block them with reverse-proxy or network policy controls.
- Audit dashboards, folders, teams, and service accounts that hold Viewer access to the affected datasource.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-42129, a high-severity Grafana Loki datasource
path traversal that lets Viewer-role users reach administrative Loki endpoints.
Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Grafana, constrains datasource
exposure, adds safe verification, and documents operator review steps, or
- TRIAGE.md if this repository does not control an affected Grafana runtime,
datasource configuration, or access model.
## Rules
- Scope only CVE-2026-42129 and directly related Grafana/Loki datasource access,
role exposure, and network boundary hardening.
- Treat datasource credentials, backend config, internal service endpoints, and
audit logs as sensitive.
- Do not request sensitive Loki admin endpoints from a live system.
- Do not auto-merge.
## Steps
1. Inventory every controlled Grafana image, package, Helm chart, datasource
provisioning file, and access-control definition.
2. Resolve deployed versions against the affected trains.
3. Confirm whether Loki datasources are configured and who can access them.
4. Determine whether Grafana can reach Loki administrative endpoints that are
not needed for ordinary querying.
5. If this repository does not own the Grafana runtime or datasource config,
stop with `TRIAGE.md`.
6. Upgrade Grafana to the nearest fixed supported release for the maintained
train.
7. Tighten datasource exposure while patching:
- restrict Viewer access where practical;
- review folder/dashboard permissions;
- reduce service-account scope;
- block unnecessary Loki admin endpoints with proxy or network policy.
8. Add safe checks that assert fixed Grafana versions and intended datasource
permission boundaries.
9. Add a PR body section named `CVE-2026-42129 operator actions` covering:
- versions before and after;
- which Loki datasources were exposed to Viewers;
- whether Loki admin endpoints remain reachable from Grafana;
- what access logs and dashboard permissions operators should review.
10. Run relevant validation: config render, dependency/image checks, authz
tests, container build, and deployment diffs.
11. Use PR title:
`fix(sec): contain Grafana Loki datasource traversal`.
## Stop conditions
- No controlled vulnerable Grafana runtime exists.
- Loki datasource access is managed entirely outside this repository.
- Verification would require requesting sensitive admin endpoints from a live
environment.
Verification - what the reviewer looks for
- No controlled Grafana deployment remains on a vulnerable release train.
- Loki datasource access is limited to intended users and service accounts.
- Unnecessary Loki admin endpoints are no longer reachable from Grafana where controlled here.
- Reviewer notes explain the branch-specific upgrade path applied.
Output contract
- Reviewer-ready PR upgrading every controlled Grafana deployment to a fixed release train with aligned image tags/digests, Helm values, provisioning, SBOMs, generated manifests, and docs.
- Datasource access review for Viewer roles, service accounts, folders, dashboards, Explore, and tenant/support/agent identities.
- Network or proxy policy blocking unnecessary Loki admin endpoints from Grafana where the repository controls that boundary.
TRIAGE.mdwhen Grafana runtime, Loki datasource config, RBAC, or network containment is outside this repository.
Watch for
- Updating one Grafana train but leaving another maintained train vulnerable.
- Fixing the binary version while old container tags or Helm values still pin vulnerable images.
- Leaving overly broad Viewer access to sensitive Loki-backed dashboards.
Related recipes
- CVE-2026-43824 Argo CD ServerSideDiff secret disclosure
- Critical infrastructure secure context
- CVE intelligence intake gate
References
- Grafana release notes: https://github.com/grafana/grafana/releases
- CVE record: https://www.cve.org/CVERecord?id=CVE-2026-42129
- OpenCVE entry: https://app.opencve.io/cve/CVE-2026-42129