Grafana Ruler API Path Traversal via Double URL Decoding (v1/rules)
CVE-2026-21726 Published on April 15, 2026

Loki Path Traversal - CVE-2021-36156 Bypass
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.

Vendor Advisory NVD

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-21726 has been classified to as a Directory traversal vulnerability or weakness.

Affected Versions

Grafana Loki:

Version 2.3.0 and below 3.5.9 is affected.

Grafana Ruler API Path Traversal via Double URL Decoding (v1/rules)CVE-2026-21726 Published on April 15, 2026

Weakness Type

What is a Directory traversal Vulnerability?

Affected Versions

Grafana Ruler API Path Traversal via Double URL Decoding (v1/rules)
CVE-2026-21726 Published on April 15, 2026