Medium severity5.3NVD Advisory· Published Apr 15, 2026· Updated Apr 20, 2026
CVE-2026-21726
CVE-2026-21726
Description
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}
Thanks to Prasanth Sundararajan for reporting this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/loki/v3Go | < 3.6.4 | 3.6.4 |
Affected products
18- osv-coords17 versionspkg:apk/chainguard/grafana-11.6pkg:apk/chainguard/grafana-12.2pkg:apk/chainguard/grafana-12.3pkg:apk/chainguard/grafana-12.4pkg:apk/chainguard/grafana-13.0pkg:apk/chainguard/grafana-alloypkg:apk/chainguard/grafana-alloy-fipspkg:apk/chainguard/grafana-fips-12.2pkg:apk/chainguard/grafana-fips-12.3pkg:apk/chainguard/grafana-fips-12.4pkg:apk/chainguard/grafana-fips-13.0pkg:apk/wolfi/grafana-12.2pkg:apk/wolfi/grafana-12.3pkg:apk/wolfi/grafana-12.4pkg:apk/wolfi/grafana-13.0pkg:apk/wolfi/grafana-alloypkg:golang/github.com/grafana/loki/v3
< 11.6.15-r0+ 16 more
- (no CPE)range: < 11.6.15-r0
- (no CPE)range: < 12.2.9-r0
- (no CPE)range: < 12.3.7-r0
- (no CPE)range: < 12.4.4-r0
- (no CPE)range: < 13.0.2-r0
- (no CPE)range: < 1.15.1-r2
- (no CPE)range: < 1.15.1-r1
- (no CPE)range: < 12.2.9-r0
- (no CPE)range: < 12.3.7-r0
- (no CPE)range: < 12.4.4-r0
- (no CPE)range: < 13.0.2-r0
- (no CPE)range: < 12.2.9-r0
- (no CPE)range: < 12.3.7-r0
- (no CPE)range: < 12.4.4-r0
- (no CPE)range: < 13.0.2-r0
- (no CPE)range: < 1.15.1-r2
- (no CPE)range: < 3.6.4
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-497x-rrr9-68jpghsaADVISORY
- grafana.com/security/security-advisories/cve-2026-21726nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-21726ghsaADVISORY
News mentions
0No linked articles in our index yet.