Description
A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.
Published: 2026-06-19
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A user with authentication privileges can issue a TraceQL query that includes an excessively large exemplars hint value. The query causes the Grafana Tempo service to allocate a proportional amount of memory, eventually exceeding limits and triggering an out‑of‑memory crash. This results in a denial of service, interrupting normal operation of the Tempo tracing component. The weakness is a case of uncontrolled resource consumption due to improper validation of query parameters.

Affected Systems

The vulnerability affects the Grafana Enterprise Traces product and its Tempo subsystem. No specific version releases are listed in the advisory, so any Grafana Tempo instance that implements TraceQL query handling is potentially impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is provided, and the issue is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the Tempo service and the ability to submit a TraceQL query with a large exemplar hint. The attack path is therefore an authenticated internal or remote request, which could lead to a local denial of service for the Tempo service.

Generated by OpenCVE AI on June 19, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Grafana Tempo update that contains the fix for the unbounded memory usage in TraceQL queries.
  • If updating is not immediately possible, restrict or reject TraceQL queries that include an exemplar hint value beyond a safe threshold by configuring request filtering or applying user role restrictions on query capabilities.
  • Continuously monitor the Tempo service’s memory usage and set alerts for abnormal consumption or out‑of‑memory events to enable rapid incident response.

Generated by OpenCVE AI on June 19, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 19 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.
Title Tempo TraceQL query with exemplar hint could result in unbounded memory usage
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-06-19T19:03:33.602Z

Reserved: 2026-02-24T14:30:17.726Z

Link: CVE-2026-27878

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption