A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.Creditskhanmarshal (Researcher)Referenceshttps://grafana.com/security/security-advisories/cve-2026-42129