CVE-2026-28377 | THREATINT

Description

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-26 | Updated 2026-05-13 | Assigner GRAFANA

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Product status

Default status

unaffected

2.10.3 (semver)

affected

References

grafana.com/security/security-advisories/cve-2026-28377 vendor-advisory

cve.org (CVE-2026-28377)

nvd.nist.gov (CVE-2026-28377)

Download JSON