{"id":"CVE-2026-21726","summary":"Loki Path Traversal - CVE-2021-36156 Bypass","details":"The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}\n\nThanks to Prasanth Sundararajan for reporting this vulnerability.","aliases":["GHSA-497x-rrr9-68jp"],"modified":"2026-05-18T05:57:39.014424405Z","published":"2026-04-15T19:24:31.268Z","related":["CGA-w6q8-cj25-57rp"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21726.json","unresolved_ranges":[{"extracted_events":[{"introduced":"2.3.0"},{"fixed":"3.5.9"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"GRAFANA"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21726.json"},{"type":"ADVISORY","url":"https://grafana.com/security/security-advisories/cve-2026-21726"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21726"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/loki","events":[{"introduced":"0"},{"fixed":"d80526692af3bf28c35622a59a3231933b193bc2"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"3.6.4"}],"cpe":"cpe:2.3:a:grafana:loki:*:*:*:*:*:*:*:*"}}],"versions":["v3.6.3","v3.6.2","v3.6.1","v3.6.0","helm-loki-6.43.0","helm-loki-6.42.0","helm-loki-6.41.1","helm-loki-6.41.0","helm-loki-6.40.0","helm-loki-6.39.0","helm-loki-6.38.0","helm-loki-6.37.0","helm-loki-6.36.1","helm-loki-6.36.0","helm-loki-6.35.1","helm-loki-6.35.0","helm-loki-6.34.0","helm-loki-6.33.0","helm-loki-6.32.0","helm-loki-6.31.0","helm-loki-6.30.1","helm-loki-6.29.0","operator/v0.8.0","helm-loki-6.28.0","helm-loki-6.27.0","helm-loki-6.26.0","helm-loki-6.25.1","helm-loki-6.25.0","helm-loki-6.24.1","helm-loki-6.24.0","helm-loki-6.23.0","helm-loki-6.22.0","helm-loki-6.21.0","helm-loki-6.20.0","operator/v0.7.1","helm-loki-6.19.0","pkg/logql/syntax/v0.0.1","operator/v0.7.0","helm-loki-6.18.0","helm-loki-6.16.0","operator/v0.6.2","helm-loki-6.12.0","helm-loki-6.11.0","helm-loki-6.10.2","helm-loki-6.10.1","helm-loki-6.10.0","helm-loki-6.9.0","helm-loki-6.8.0","helm-loki-6.7.4","helm-loki-6.7.3","helm-loki-6.7.2","helm-loki-6.7.1","helm-loki-6.7.0","helm-loki-6.6.6","helm-loki-6.6.5","helm-loki-6.6.4","helm-loki-6.6.3","operator/v0.6.1","helm-loki-6.6.2","helm-loki-6.6.1","helm-loki-6.6.0","helm-loki-6.5.2","helm-loki-6.5.1","helm-loki-5.47.2","helm-loki-6.5.0","helm-loki-6.4.2","helm-loki-6.4.1","helm-loki-6.4.0","helm-loki-6.3.3","helm-loki-6.3.4","helm-loki-6.3.2","helm-loki-6.3.1","helm-loki-6.3.0","helm-loki-6.2.5","helm-loki-6.2.4","helm-loki-6.2.3","helm-loki-6.2.2","helm-loki-6.2.1","helm-loki-6.2.0","helm-loki-6.1.0","helm-loki-6.0.0","operator/v0.6.0","helm-loki-5.47.1","helm-loki-5.47.0","helm-loki-5.46.0","helm-loki-5.45.0","helm-loki-5.44.4","helm-loki-5.44.3","helm-loki-5.44.2","helm-loki-5.44.1","helm-loki-5.44.0","helm-loki-5.43.7","helm-loki-5.43.6","helm-loki-5.43.5","helm-loki-5.43.4","helm-loki-5.43.3","helm-loki-5.43.2","helm-loki-5.43.1","helm-loki-5.43.0","helm-loki-5.42.3","helm-loki-5.42.2","helm-loki-5.42.1","helm-loki-5.42.0","helm-loki-5.41.8","helm-loki-5.41.7","helm-loki-5.41.6","helm-loki-5.41.5","helm-loki-5.41.4","helm-loki-5.41.3","helm-loki-5.41.2","helm-loki-5.41.1","helm-loki-5.41.0","helm-loki-5.40.1","helm-loki-5.39.0","helm-loki-5.38.0","helm-loki-5.37.0","helm-loki-5.36.3","helm-loki-5.36.2","helm-loki-5.36.1","helm-loki-5.36.0","operator/v0.5.0","helm-loki-5.35.0","helm-loki-5.34.0","helm-loki-5.33.0","helm-loki-5.32.0","helm-loki-5.31.0","helm-loki-5.30.0","helm-loki-5.29.0","helm-loki-5.28.0","helm-loki-5.27.0","helm-loki-5.26.0","helm-loki-5.25.0","helm-loki-5.24.0","helm-loki-5.23.1","helm-loki-5.23.0","helm-loki-5.22.2","helm-loki-5.22.1","helm-loki-5.22.0","helm-loki-5.21.0","helm-loki-5.20.0","helm-loki-5.19.0","helm-loki-5.18.1","helm-loki-5.18.0","helm-loki-5.17.0","helm-loki-5.15.0","helm-loki-5.14.1","helm-loki-5.14.0","helm-loki-5.13.0","helm-loki-5.12.0","helm-loki-5.11.0","helm-loki-5.10.0","operator/v0.4.0","helm-loki-5.9.2","helm-loki-5.9.1","helm-loki-5.9.0","helm-loki-5.8.11","helm-loki-5.8.10","helm-loki-5.8.9","helm-loki-5.8.8","helm-loki-5.8.7","helm-loki-5.8.6","helm-loki-5.8.5","helm-loki-5.8.4","helm-loki-5.8.3","helm-loki-5.8.2","helm-loki-5.8.1","helm-loki-5.8.0","helm-loki-5.7.1","helm-loki-5.6.4","helm-loki-5.6.3","helm-loki-5.6.2","helm-loki-5.6.1","helm-loki-5.6.0","helm-loki-5.5.10","helm-loki-5.5.12","helm-loki-5.5.11","helm-loki-5.5.9","helm-loki-5.5.8","helm-loki-5.5.7","helm-loki-5.5.6","helm-loki-5.5.5","helm-loki-5.5.4","helm-loki-5.5.3","helm-loki-5.5.2","helm-loki-5.5.1","helm-loki-5.5.0","helm-loki-5.4.0","helm-loki-5.3.1","helm-loki-5.3.0","helm-loki-5.2.0","helm-loki-5.1.0","helm-loki-5.0.0","helm-loki-4.10.0","helm-loki-4.9.0","helm-loki-4.8.0","helm-loki-4.7.0","helm-loki-4.6.2","helm-loki-4.6.1","helm-loki-4.6.0","helm-loki-4.5.1","helm-loki-4.5.0","helm-loki-4.4.2","helm-loki-4.4.1","helm-loki-4.4.0","helm-loki-4.3.0","helm-loki-4.2.0","helm-loki-4.1.0","helm-loki-4.0.0","helm-loki-3.10.0","helm-loki-3.9.0","helm-loki-3.8.2","helm-loki-3.8.1","helm-loki-3.8.0","helm-loki-3.7.0","helm-loki-3.6.1","helm-loki-3.6.0","helm-loki-3.5.0","helm-loki-3.4.3","helm-loki-3.4.2","helm-loki-3.4.1","helm-loki-3.4.0","helm-loki-3.3.4","helm-loki-3.3.3","helm-loki-3.3.2","helm-loki-3.3.1","helm-loki-3.3.0","helm-loki-3.2.2","helm-loki-3.2.1","helm-loki-3.2.0","helm-loki-3.1.0","helm-loki-3.0.9","helm-loki-3.0.8","helm-loki-3.0.7","helm-loki-3.0.6","helm-loki-3.0.5","helm-loki-3.0.4","helm-loki-3.0.3","helm-loki-3.0.2","helm-loki-3.0.1","helm-loki-3.0.0","v2.0.0","v1.6.0","v1.5.0","v1.3.0","v1.2.0","v1.1.0","v1.0.0","v0.4.0","v0.3.0","v0.2.0","v1.0.1","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-21726.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}