CVE-2026-28377 is a vulnerability identified in Grafana Tempo version 2.10.3 that exposes the server-side encryption customer-provided (SSE-C) key used for encrypting trace data stored in Amazon S3. The vulnerability manifests through the /status/config HTTP endpoint, which inadvertently returns the SSE-C encryption key in plaintext. This endpoint is accessible without authentication or user interaction, allowing any remote attacker with network access to retrieve the encryption key. The SSE-C key is critical for decrypting trace data stored in S3 buckets, meaning that exposure of this key compromises the confidentiality of all trace data encrypted with it. The vulnerability does not affect data integrity or availability directly but poses a significant confidentiality risk. The CVSS v3.1 base score is 7.5, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and high impact on confidentiality. No known exploits have been reported in the wild as of the publication date. The vulnerability was responsibly disclosed by security researcher william_goodfellow and published on March 26, 2026. Grafana Tempo is an open-source distributed tracing backend widely used for observability in cloud-native environments, often integrated with Kubernetes and cloud storage solutions like Amazon S3. The exposure of SSE-C keys can lead to unauthorized decryption of sensitive telemetry data, potentially revealing internal system behaviors, user activity, or other sensitive operational information.

The primary impact of CVE-2026-28377 is the compromise of confidentiality for organizations using Grafana Tempo with SSE-C encryption for trace data stored in S3. Unauthorized disclosure of the SSE-C key enables attackers to decrypt sensitive trace data, which may contain detailed telemetry and operational insights. This can lead to information leakage about internal system architecture, user behavior, or security posture, potentially aiding further attacks or industrial espionage. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, especially in environments where the /status/config endpoint is exposed to untrusted networks. Although there is no direct impact on data integrity or availability, the loss of confidentiality alone is significant for organizations relying on trace data for security monitoring and compliance. The vulnerability could also undermine trust in observability infrastructure and complicate incident response efforts. Organizations in sectors with stringent data privacy requirements or those handling sensitive operational data are at elevated risk. The absence of known exploits in the wild suggests limited immediate threat, but the ease of exploitation and sensitive nature of the data warrant urgent remediation.

To mitigate CVE-2026-28377, organizations should first apply any available patches or updates from Grafana addressing this vulnerability; if no patch is currently available, consider upgrading to a fixed version once released. Restrict network access to the /status/config endpoint by implementing strict firewall rules, network segmentation, or API gateway controls to ensure only trusted administrators can reach this endpoint. Disable or restrict the /status/config endpoint if it is not necessary for operational monitoring. Rotate the SSE-C encryption keys immediately to invalidate any potentially exposed keys, and update the key management procedures to prevent future exposure. Implement monitoring and alerting on access to the /status/config endpoint and unusual S3 access patterns to detect potential exploitation attempts. Review and harden the overall Grafana Tempo deployment, including authentication and authorization mechanisms for administrative endpoints. Consider transitioning to alternative encryption methods such as SSE-KMS or SSE-S3 if feasible, which may not expose keys in the same manner. Conduct a thorough audit of trace data access and encryption key management policies to ensure compliance with security best practices. Finally, educate DevOps and security teams about this vulnerability to raise awareness and ensure rapid response to any suspicious activity.