Loki

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:grafana:loki:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorGrafana (7564912d-bb81-50cf-9eb9-f573ac2fa519)
ProductLoki (f4800d17-5bb5-5d58-8660-d5266423cdce)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:docker/grafana/loki purl2cpe 2026-06-01 10:14:45.891539
pkg:github/grafana/loki purl2cpe 2026-06-01 10:14:45.891542
pkg:rpm/opensuse/loki purl2cpe 2026-06-01 10:14:45.891545
pkg:sourceforge/grafana-loki.mirror purl2cpe 2026-06-01 10:14:45.891548

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-21726 vulnerable 2026-06-03 15:15:51.538918 Loki Path Traversal - CVE-2021-36156 Bypass
MEDIUM (5.3)
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.
Published: 2026-04-15T19:24:31.268Z
Updated: 2026-05-13T19:28:29.093Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-36156 vulnerable 2026-06-03 14:44:57.189357 Details available
An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.
Published: 2021-08-03T14:12:11.000Z
Updated: 2024-08-04T00:47:43.938Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.