High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Mar 31, 2026
CVE-2026-28377
CVE-2026-28377
Description
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.
Thanks to william_goodfellow for reporting this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/tempoGo | < 2.10.3 | 2.10.3 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/commercial-grafana-11.6pkg:apk/chainguard/grafana-12.3pkg:apk/chainguard/grafana-fips-12.2pkg:apk/wolfi/grafana-12.3pkg:golang/github.com/grafana/tempopkg:rpm/opensuse/tempo-cli&distro=openSUSE%20Tumbleweed
< 11.6.14-r0+ 5 more
- (no CPE)range: < 11.6.14-r0
- (no CPE)range: < 12.3.6.01-r5
- (no CPE)range: < 12.2.8.01-r3
- (no CPE)range: < 12.3.6.01-r5
- (no CPE)range: < 2.10.3
- (no CPE)range: < 2.10.3-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-ffqx-q65f-36jfghsaADVISORY
- grafana.com/security/security-advisories/cve-2026-28377nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-28377ghsaADVISORY
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/CHANGELOG.mdghsaWEB
- github.com/grafana/tempo/commit/bb8ca663db34a0980c9758b40d918fda3b4dbec3ghsaWEB
News mentions
0No linked articles in our index yet.