CVE-2026-21726

Name of the Vulnerable Software and Affected Versions Loki (affected versions not specified)

Description An issue in the log aggregation and storage system exists due to improper restriction of the directory path name. By using double encoding to bypass validation of the namespace parameter for path traversal sequences after a single URL decode, a remote attacker can gain unauthorized access to protected information via the Ruler API endpoint '/loki/api/v1/rules/{namespace}'.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.