{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-10601", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-06-02T09:57:26.570Z", "datePublished": "2026-06-22T13:18:31.531Z", "dateUpdated": "2026-07-10T18:44:38.226Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-07-10T18:44:38.226Z" }, "datePublic": "2026-06-09T00:00:00.000Z", "title": "Path traversal in the Tempo and Loki data source plugins", "descriptions": [ { "lang": "en", "value": "A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the configured backend." } ], "affected": [ { "vendor": "Grafana", "product": "Grafana OSS", "defaultStatus": "unaffected", "versions": [ { "version": "11.6.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "11.6.14" }, { "version": "12.2.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "12.2.8" }, { "version": "12.3.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "12.3.6" }, { "version": "12.4.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "12.4.3" }, { "version": "13.0.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "13.0.1" } ] } ], "references": [ { "url": "https://grafana.com/security/security-advisories/cve-2026-10601", "tags": [ "vendor-advisory" ] } ], "metrics": [ { "cvssV3_1": { "version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" } } ], "credits": [ { "lang": "en", "value": "homb (Researcher)", "type": "finder" } ], "source": { "discovery": "BUG_BOUNTY" }, "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "CWE-22", "cweId": "CWE-22", "type": "CWE" } ] } ], "x_generator": { "engine": "cvelib 1.8.0" } }, "adp": [ { "problemTypes": [ { "descriptions": [ { "type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" } ] } ], "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-22T15:44:03.006985Z", "id": "CVE-2026-10601", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T15:54:19.712Z" } } ] } }