A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.
https://grafana.com/security/security-advisories/cve-2026-42129