CVE-2021-36156 in Lokiinfo

Summary

by MITRE • 08/03/2021

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/18/2026

The vulnerability identified as CVE-2021-36156 represents a critical directory traversal flaw within Grafana Loki version 2.2.1 and earlier. This issue stems from the improper handling of the X-Scope-OrgID header parameter which is utilized by Loki to construct file paths for rule files. The vulnerability allows malicious actors to manipulate this header value to navigate outside of intended directories and access arbitrary files on the system. When a crafted header value containing directory traversal sequences such as ../../sensitive/path/in/deployment is submitted, the system attempts to parse rule files at the specified locations, inadvertently exposing sensitive information through error messages.

The technical exploitation of this vulnerability occurs through the insecure construction of file paths based on user-supplied header values. The X-Scope-OrgID header, designed for multi-tenancy support in Loki deployments, becomes a vector for unauthorized file access when not properly sanitized. The flaw lies in the lack of input validation and path sanitization mechanisms that should prevent traversal sequences from being processed. This vulnerability specifically affects the rule file parsing functionality where the system attempts to read and process rule files at locations specified by the header value, creating a scenario where error messages contain fragments of sensitive file contents.

The operational impact of this vulnerability extends beyond simple information disclosure as it enables attackers to potentially access critical system files, configuration data, and sensitive deployment information. In a production environment, this could lead to exposure of database credentials, API keys, configuration files containing secrets, and other sensitive artifacts stored in the deployment path. The vulnerability affects organizations using Loki for log aggregation and monitoring, particularly those with multi-tenant deployments where the X-Scope-OrgID header is utilized for access control. The error message inclusion of file contents provides attackers with valuable information about the system's file structure and potentially sensitive data, amplifying the security risk beyond mere file access.

Organizations should immediately update to Grafana Loki version 2.2.2 or later where this vulnerability has been addressed through proper input validation and path sanitization of the X-Scope-OrgID header parameter. Additionally, implementing network-level restrictions to limit access to Loki endpoints and monitoring for unusual header values can provide defense-in-depth. The vulnerability aligns with CWE-22 Directory Traversal and CWE-200 Information Exposure, and maps to ATT&CK techniques including T1083 File and Directory Discovery and T1566 Phishing. Security teams should conduct comprehensive audits of their Loki deployments to ensure proper access controls are in place and that the updated version has been successfully deployed across all environments.

Reservation

07/05/2021

Disclosure

08/03/2021

Moderation

accepted

CPE

ready

EPSS

0.01489

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!