{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21726", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-01-05T09:26:06.215Z", "datePublished": "2026-04-15T19:24:31.268Z", "dateUpdated": "2026-05-13T19:28:29.093Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:29.093Z"}, "datePublic": "2026-04-15T19:20:00.780Z", "title": "Loki Path Traversal - CVE-2021-36156 Bypass", "descriptions": [{"lang": "en", "value": "The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}\n\nThanks to Prasanth Sundararajan for reporting this vulnerability."}], "affected": [{"vendor": "Grafana", "product": "Loki", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "2.3.0", "status": "affected", "versionType": "semver", "lessThan": "3.5.9"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21726", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T20:01:24.769436Z", "id": "CVE-2026-21726", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:58:17.749Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21726", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T20:01:24.769436Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:01:29.185Z"}}], "cna": {"title": "Loki Path Traversal - CVE-2021-36156 Bypass", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Loki", "versions": [{"status": "affected", "version": "2.3.0", "lessThan": "3.5.9", "versionType": "semver"}], "platforms": ["OnPrem"], "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T19:20:00.780Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-21726", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}\n\nThanks to Prasanth Sundararajan for reporting this vulnerability."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:29.093Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21726", "state": "PUBLISHED", "dateUpdated": "2026-05-13T19:28:29.093Z", "dateReserved": "2026-01-05T09:26:06.215Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-04-15T19:24:31.268Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:loki:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A927B56-3873-4166-8F65-6E312D898B03", "versionEndExcluding": "3.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}\n\nThanks to Prasanth Sundararajan for reporting this vulnerability."}], "id": "CVE-2026-21726", "lastModified": "2026-04-20T20:08:40.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-04-15T20:16:34.177", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-21726"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Loki: Loki: Information disclosure via path traversal vulnerability", "id": "2458801", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458801"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-76", "details": ["A flaw was found in Loki. A remote attacker can exploit a path traversal vulnerability by using double encoding on the namespace parameter after a single URL decode. This allows the attacker to read arbitrary files at the Ruler API endpoint, leading to information disclosure."], "name": "CVE-2026-21726", "package_state": [{"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Fix deferred", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Fix deferred", "package_name": "openshift-logging/loki-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Fix deferred", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Fix deferred", "package_name": "network-observability/network-observability-rhel9-operator", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-promtail-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "rhoso-operators/telemetry-rhel9-operator", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-04-15T19:24:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21726\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21726\nhttps://grafana.com/security/security-advisories/cve-2026-21726"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,3.5.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Loki", "source": "cna", "vendor": "Grafana"}, "product": "loki", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-04-21T00:06:50.566081+00:00", "value": {"mitigation_remediation": ["Upgrade Grafana Loki to a version that includes the CVE\u20112021\u201136156 patch", "If immediate upgrade is not possible, isolate the Loki instance from external networks to limit remote access to the Ruler API", "Configure access controls to restrict who can query the /loki/api/v1/rules/{namespace} endpoint, ensuring only authenticated and authorized users can provide namespace parameters"], "summary": {"action": "Prioritize Patch", "impact": "Read arbitrary local files via the Ruler API"}, "threat_synthesis": {"affected_systems": "Grafana Loki deployments that have not yet applied the fix for CVE-2021-36156. The vulnerability is specifically tied to the Ruler API endpoint and applies to any version of Loki before the patched release; no exact version range was supplied in the advisory.", "description_and_impact": "A double URL\u2011encoding bypass allows an attacker to trick the Loki namespace validator into performing a single decode that still contains a path traversal sequence. The attacker can then read files through the /loki/api/v1/rules/{namespace} endpoint. The impact is that sensitive files on the host can be exfiltrated, potentially exposing configuration or credential data. The weakness corresponds to improper path traversal handling (CWE-22, CWE-76).", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, and the EPSS score of < 1% indicates an extremely low exploitation probability. The vulnerability is not currently in the CISA KEV catalog. Attack vectors are inferred to be network\u2011based; an entity with network access to the Ruler API could craft the payload. Exploitation requires only that the attacker can supply a crafted namespace parameter via an HTTP request to the Loki instance."}}}}, "created": "2026-04-15T21:30:13.802776+00:00", "updated": "2026-04-21T00:15:16.121983+00:00", "vendors": ["grafana", "grafana$PRODUCT$loki"]}