2458801 – (CVE-2026-21726) CVE-2026-21726 Loki: Loki: Information disclosure via path traversal vulnerability

Bug 2458801 (CVE-2026-21726) - CVE-2026-21726 Loki: Loki: Information disclosure via path traversal vulnerability

Summary: CVE-2026-21726 Loki: Loki: Information disclosure via path traversal vulnerab...

Keywords:
Status:	NEW
Alias:	CVE-2026-21726
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-15 20:02 UTC by OSIDB Bzimport
Modified:	2026-04-17 12:55 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-15 20:02:43 UTC

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}

Thanks to Prasanth Sundararajan for reporting this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.

alcohan
amctagga
aoconnor
bniver
eglynn
flucifre
gmeno
gparvin
groman
jbalunas
jcantril
jjoyce
jpretori
jschluet
lchilton
lhh
mbenjamin
mburns
mgarciac
mhackett
pahickey
rhaigner
rojacob
sfeifer
sostapov
vereddy