The Loki datasource plugin's callResource handler in Grafana OSS contains a path traversal vulnerability that allows an authenticated user with Viewer role privileges to bypass the plugin's resource sandbox. This enables access to administrative Loki endpoints such as /config, /services, and /ready, which can expose sensitive backend configuration and internal service data. The vulnerability is rated high severity with a CVSS 3.1 score of 7.7, indicating network attack vector, low attack complexity, required privileges at the level of a logged-in user with Viewer role, no user interaction, and a scope change with high confidentiality impact but no integrity or availability impact. No vendor advisory or patch information is currently available, and the vulnerability is not related to a cloud service.

An authenticated user with Viewer role privileges can exploit this vulnerability to access sensitive backend configuration and internal service information by escaping the Loki plugin's resource sandbox. This can lead to disclosure of sensitive data, potentially aiding further attacks or reconnaissance. There is no indication of integrity or availability impact. No known exploits are reported in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Viewer role assignments to trusted users only and monitor for suspicious activity related to Loki datasource plugin access. Avoid exposing Grafana OSS instances to untrusted networks if possible.