CVE-2026-42129 - Grafana Loki datasource callResource traversal

CVE-2026-42129 affects Grafana’s Loki datasource callResource handling. An authenticated user with Viewer access can escape the intended plugin resource sandbox and call administrative Loki endpoints such as /config, /services, and /ready, exposing backend configuration and internal service details.

Exposure exists when the repository deploys a vulnerable Grafana release and Viewer-role users can query a Loki datasource that fronts sensitive internal infrastructure.

When to use it

  • A repository deploys Grafana OSS/Enterprise with Loki datasources and controlled Helm, Docker, Kustomize, Terraform, or provisioning artifacts.
  • Viewer-role users, service accounts, support users, tenants, or agents can access dashboards or Explore views backed by Loki.
  • Grafana can reach Loki administrative endpoints such as /config, /services, or /ready that should not be exposed through datasource queries.
  • You need a bounded PR or triage note that upgrades Grafana and contains datasource/admin-endpoint exposure without querying live sensitive endpoints.

Inputs

  • Grafana image/package/chart versions, datasource provisioning files, Helm values, dashboard/folder permissions, RBAC/team mappings, network policies, proxy config, SBOMs, generated manifests, and runbooks.
  • Loki datasource inventory, Viewer/service-account access, admin endpoint reachability, internal topology sensitivity, audit log ownership, and rollout owners.
  • Available config render, image/version checks, authz tests, dashboard/RBAC policy checks, container build, SBOM, and dependency/security scans.

Affected versions

Product Vulnerable versions Fixed versions
Grafana OSS < 11.6.15 11.6.15+
Grafana OSS >= 12.2.0, < 12.2.9 12.2.9+
Grafana OSS >= 12.3.0, < 12.3.7 12.3.7+
Grafana OSS >= 12.4.0, < 12.4.4 12.4.4+
Grafana OSS >= 13.0.0, < 13.0.2 13.0.2+

Indicator-of-exposure

  • The repository deploys one of the vulnerable Grafana trains above.
  • A Loki datasource is configured and reachable from Grafana.
  • Viewer-role users can access dashboards or Explore views backed by that datasource.
  • Loki administrative endpoints expose sensitive configuration, service-state, or internal topology data.

Quick checks:

rg -n "grafana|loki|datasources|Viewer|role|Explore|callResource" .
rg -n "loki|datasources.yaml|grafana.ini|viewers_can_edit|role" helm charts k8s deploy docker-compose*.yml provisioning conf

Windows:

rg -n "grafana|loki|datasources|Viewer|role|Explore|callResource" .
rg -n "loki|datasources.yaml|grafana.ini|viewers_can_edit|role" helm charts k8s deploy docker-compose*.yml provisioning conf

Do not prove exposure by requesting sensitive Loki admin endpoints from a live production Grafana instance.

Remediation strategy

  • Upgrade Grafana to a fixed release train: 11.6.15+, 12.2.9+, 12.3.7+, 12.4.4+, or 13.0.2+, depending on the branch you maintain.
  • Limit who can access affected Loki datasources while patching.
  • Review whether Loki admin endpoints are reachable from Grafana at all; if not needed, block them with reverse-proxy or network policy controls.
  • Audit dashboards, folders, teams, and service accounts that hold Viewer access to the affected datasource.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-42129, a high-severity Grafana Loki datasource
path traversal that lets Viewer-role users reach administrative Loki endpoints.
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Grafana, constrains datasource
  exposure, adds safe verification, and documents operator review steps, or
- TRIAGE.md if this repository does not control an affected Grafana runtime,
  datasource configuration, or access model.

## Rules

- Scope only CVE-2026-42129 and directly related Grafana/Loki datasource access,
  role exposure, and network boundary hardening.
- Treat datasource credentials, backend config, internal service endpoints, and
  audit logs as sensitive.
- Do not request sensitive Loki admin endpoints from a live system.
- Do not auto-merge.

## Steps

1. Inventory every controlled Grafana image, package, Helm chart, datasource
   provisioning file, and access-control definition.
2. Resolve deployed versions against the affected trains.
3. Confirm whether Loki datasources are configured and who can access them.
4. Determine whether Grafana can reach Loki administrative endpoints that are
   not needed for ordinary querying.
5. If this repository does not own the Grafana runtime or datasource config,
   stop with `TRIAGE.md`.
6. Upgrade Grafana to the nearest fixed supported release for the maintained
   train.
7. Tighten datasource exposure while patching:
   - restrict Viewer access where practical;
   - review folder/dashboard permissions;
   - reduce service-account scope;
   - block unnecessary Loki admin endpoints with proxy or network policy.
8. Add safe checks that assert fixed Grafana versions and intended datasource
   permission boundaries.
9. Add a PR body section named `CVE-2026-42129 operator actions` covering:
   - versions before and after;
   - which Loki datasources were exposed to Viewers;
   - whether Loki admin endpoints remain reachable from Grafana;
   - what access logs and dashboard permissions operators should review.
10. Run relevant validation: config render, dependency/image checks, authz
    tests, container build, and deployment diffs.
11. Use PR title:
    `fix(sec): contain Grafana Loki datasource traversal`.

## Stop conditions

- No controlled vulnerable Grafana runtime exists.
- Loki datasource access is managed entirely outside this repository.
- Verification would require requesting sensitive admin endpoints from a live
  environment.

Verification - what the reviewer looks for

  • No controlled Grafana deployment remains on a vulnerable release train.
  • Loki datasource access is limited to intended users and service accounts.
  • Unnecessary Loki admin endpoints are no longer reachable from Grafana where controlled here.
  • Reviewer notes explain the branch-specific upgrade path applied.

Output contract

  • Reviewer-ready PR upgrading every controlled Grafana deployment to a fixed release train with aligned image tags/digests, Helm values, provisioning, SBOMs, generated manifests, and docs.
  • Datasource access review for Viewer roles, service accounts, folders, dashboards, Explore, and tenant/support/agent identities.
  • Network or proxy policy blocking unnecessary Loki admin endpoints from Grafana where the repository controls that boundary.
  • TRIAGE.md when Grafana runtime, Loki datasource config, RBAC, or network containment is outside this repository.

Watch for

  • Updating one Grafana train but leaving another maintained train vulnerable.
  • Fixing the binary version while old container tags or Helm values still pin vulnerable images.
  • Leaving overly broad Viewer access to sensitive Loki-backed dashboards.

References