CVE-2021-36156
Description
An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in Grafana Loki through 2.2.1 allows reading arbitrary files via crafted X-Scope-OrgID header.
Vulnerability
Grafana Loki versions through 2.2.1 use the X-Scope-OrgID header value to construct file paths for rules files. A crafted header containing directory traversal sequences (e.g., ../../sensitive/path/in/deployment) causes Loki to attempt to parse a rules file at the attacker-specified location and include parts of its content in the resulting error message [1][4].
Exploitation
An attacker sends an HTTP request to Loki with a malicious X-Scope-OrgID header containing path traversal payloads. No authentication is required if the header is user-controllable; the attacker does not need special network position beyond access to the Loki API. The server’s response will include portions of the targeted file in the error output [4].
Impact
Successful exploitation leads to information disclosure: the attacker can read arbitrary files that the Loki process has access to. The severity depends on the sensitivity of the exposed files (e.g., configuration files, secrets). The vulnerability does not directly enable code execution or privilege escalation, but the leaked information may facilitate further attacks [1][4].
Mitigation
- Upgrade to Grafana Loki version 2.3.0 or later, which includes the fix from pull request #4020 [2][4].
- If upgrading is not immediately possible, restrict the
X-Scope-OrgIDheader by placing a proxy in front of Loki that validates or supplies the header, preventing attacker control [4]. - Run Loki inside a container or chroot with limited file system access to constrain the set of readable files [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/lokiGo | < 2.3.0 | 2.3.0 |
Affected products
6- Grafana/Lokidescription
- osv-coords5 versionspkg:apk/chainguard/grafana-7pkg:apk/chainguard/grafana-7-dashboardspkg:apk/chainguard/grafana-7-homepagepkg:apk/chainguard/grafana-homepagepkg:golang/github.com/grafana/loki
< 0+ 4 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-grj5-8x6q-hc9qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36156ghsaADVISORY
- github.com/grafana/loki/pull/4020ghsaWEB
- github.com/grafana/loki/pull/4020ghsax_refsource_MISCWEB
- github.com/grafana/loki/releases/tag/v2.3.0ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.