The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Loki datasource plugin contains a path traversal vulnerability in its callResource handler that allows authenticated users with Viewer-level permissions to bypass sandbox restrictions and access sensitive administrative endpoints like /config, /services, and /ready. This is particularly concerning because it violates the principle of least privilege—a low-privileged user can escalate their access to retrieve backend configuration details and internal service information without requiring additional credentials. Organizations deploying Loki as a monitoring or logging backend are affected, especially in multi-tenant environments where Viewer roles are commonly assigned to non-administrative users who should have strictly limited access.
While this vulnerability lacks mapped MITRE ATT&CK techniques in its current disclosure, Casky's skill framework would identify the underlying attack patterns associated with reconnaissance and information gathering. Practitioners using Casky's 754 mapped security skills would detect indicators aligned with techniques like T1526 (Cloud Service Discovery) and T1087 (Account Discovery) as attackers probe administrative endpoints to enumerate backend services and configurations. The path traversal itself maps to T1083 (File and Directory Discovery), while successful extraction of configuration data constitutes T1526 or T1580 (Cloud Infrastructure Discovery). In practice, security teams would see suspicious API calls to /config and /services endpoints originating from low-privileged user accounts, followed by lateral movement attempts or privilege escalation activities based on exposed service information—patterns that Casky's extended reasoning capabilities would correlate across multiple data sources to surface the attack chain.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-42129. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation