CVE-2026-28377: Vulnerability in Grafana Tempo
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.
AI Analysis
Technical Summary
This vulnerability in Grafana Tempo 2.10.3 allows an attacker to retrieve the S3 SSE-C encryption key in plaintext through the /status/config endpoint. The exposed key is used to encrypt trace data stored in S3, potentially compromising the confidentiality of that data. The CVSS 3.1 vector indicates the attack can be performed remotely without authentication or user interaction, with a high impact on confidentiality but no impact on integrity or availability. The vulnerability is categorized under CWE-326 (inadequate encryption strength or key management). A patch is available to remediate this issue.
Potential Impact
Unauthorized disclosure of the S3 SSE-C encryption key can lead to exposure of encrypted trace data stored in S3, compromising confidentiality. There is no indication of impact on data integrity or service availability. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch is available to fix this vulnerability. Users of Grafana Tempo version 2.10.3 should apply the official update provided by Grafana to prevent unauthorized access to the encryption key. Since this is not a cloud service, remediation depends on user action to update the affected software.
CVE-2026-28377: Vulnerability in Grafana Tempo
Description
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Grafana Tempo 2.10.3 allows an attacker to retrieve the S3 SSE-C encryption key in plaintext through the /status/config endpoint. The exposed key is used to encrypt trace data stored in S3, potentially compromising the confidentiality of that data. The CVSS 3.1 vector indicates the attack can be performed remotely without authentication or user interaction, with a high impact on confidentiality but no impact on integrity or availability. The vulnerability is categorized under CWE-326 (inadequate encryption strength or key management). A patch is available to remediate this issue.
Potential Impact
Unauthorized disclosure of the S3 SSE-C encryption key can lead to exposure of encrypted trace data stored in S3, compromising confidentiality. There is no indication of impact on data integrity or service availability. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch is available to fix this vulnerability. Users of Grafana Tempo version 2.10.3 should apply the official update provided by Grafana to prevent unauthorized access to the encryption key. Since this is not a cloud service, remediation depends on user action to update the affected software.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GRAFANA
- Date Reserved
- 2026-02-27T07:16:12.218Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Is Cloud Service
- true
Threat ID: 69c5ac523c064ed76fd41c44
Added to database: 3/26/2026, 9:59:46 PM
Last enriched: 4/24/2026, 11:14:39 PM
Last updated: 5/10/2026, 7:04:50 AM
Views: 105
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.