VYPR

Tempo

by Grafana

Source repositories

CVEs (3)

  • CVE-2026-28377HigMar 26, 2026
    risk 0.42cvss 7.5epss 0.00

    A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this…

  • CVE-2026-10601Jun 22, 2026
    risk 0.00cvss epss 0.00

    The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by…

  • CVE-2026-27878Jun 19, 2026
    risk 0.00cvss epss 0.00

    A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.