High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 24, 2026
CVE-2026-21728
CVE-2026-21728
Description
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/tempoGo | >= 1.3.0, < 2.8.4 | 2.8.4 |
github.com/grafana/tempoGo | >= 2.9.0, < 2.9.2 | 2.9.2 |
github.com/grafana/tempoGo | >= 2.10.0, < 2.10.2 | 2.10.2 |
Affected products
2- osv-coords2 versions
< 12.2.8.01-r3+ 1 more
- (no CPE)range: < 12.2.8.01-r3
- (no CPE)range: >= 1.3.0, < 2.8.4
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-p4r4-xvrq-gvmcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21728ghsaADVISORY
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-10.mdghsaWEB
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-8.mdghsaWEB
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-9.mdghsaWEB
- github.com/grafana/tempo/commit/650eb1985a0776789c8564122990f588a742356fghsaWEB
- github.com/grafana/tempo/pull/6525ghsaWEB
- grafana.com/security/security-advisories/cve-2026-21728nvdWEB
News mentions
0No linked articles in our index yet.