CVE-2026-28377

High CVSS: 7.5

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.

Thanks to william_goodfellow for reporting this vulnerability.

Vendor

Grafana

Product

Tempo

CWE

CWE-326

Yayın Tarihi

2026-03-26 22:16:28

Güncelleme

2026-03-31 19:00:15

Source Identifier

security@grafana.com

KEV Date Added

Kategoriler

CWE-326 Tempo HIGH Grafana 2026

Referanslar

https://grafana.com/security/security-advisories/cve-2026-28377

Benzer Kayıtlar

Medium

CVE-2026-27877

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being u…

Medium

CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana.

High

CVE-2026-27880

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory cra…

Medium

CVE-2026-28375

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

Critical

CVE-2026-27876

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impac…

Medium

CVE-2026-33375

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API rest…