PT-2026-52859 — Bitnami Grafana

PT-2026-52859 · Bitnami · Grafana

Published

2026-06-26

Updated

2026-06-26

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

BIT-GRAFANA-2026-10601

Affected Products

Grafana