VYPR
High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Mar 31, 2026

CVE-2026-28377

CVE-2026-28377

Description

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.

Thanks to william_goodfellow for reporting this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/grafana/tempoGo
< 2.10.32.10.3

Affected products

7

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.