logo

Database

Cross-site request forgery In grafana

Description

Grafana Loki Path Traversal - CVE-2021-36156 Bypass The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}

Thanks to Prasanth Sundararajan for reporting this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-217262. NVD-2026-217263. OSV-2026-217264. GCVE-2026-21726

References

1. https://grafana.com/security/security-advisories/cve-2026-21726

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.