The vulnerability in Grafana OSS 11.6.0 involves the Tempo and Loki datasource plugins constructing backend HTTP requests by directly interpolating user-supplied input into URL paths without sanitization. This allows path traversal attacks by a user with Viewer role, enabling them to capture secureJsonData custom headers containing admin-configured datasource credentials by redirecting requests to attacker-controlled endpoints. Additionally, the attacker can invoke state-changing admin endpoints on Tempo such as /flush and /shutdown, and exfiltrate internal service data through Loki's CallResource endpoint, which returns full HTTP response bodies. The CVSS 3.1 base score is 5.4 (medium severity) with network attack vector, low attack complexity, requiring low privileges (Viewer role), no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. No patch or official remediation is currently documented.

An attacker with Viewer role privileges can exploit this vulnerability to perform path traversal attacks that allow capturing sensitive admin-configured datasource credentials, invoke administrative actions on Tempo that can alter service state, and exfiltrate internal data from Loki. This compromises the integrity and availability of the affected Grafana OSS instance, though confidentiality impact is not indicated. The vulnerability requires only low privileges and no user interaction, increasing its risk within environments where Viewer roles are assigned.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Viewer role assignments to trusted users only and monitor for unusual activity related to Tempo and Loki datasource plugins. Avoid exposing Grafana OSS 11.6.0 instances to untrusted networks. Follow vendor updates closely for any forthcoming patches or mitigations.