VYPR

Go modules package

github.com/grafana/tempo

pkg:golang/github.com/grafana/tempo

Vulnerabilities (2)

  • CVE-2026-21728HigApr 24, 2026
    affected >= 1.3.0, < 2.8.4fixed 2.8.4

    Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

  • CVE-2026-28377HigMar 26, 2026
    affected < 2.10.3fixed 2.10.3

    A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability