CVE-2026-28377 - Vulnerability Details

- S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)

Description

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.

Thanks to william_goodfellow for reporting this vulnerability.

Published: 2026-03-26

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Grafana Tempo allows the S3 server‑side encryption (SSE‑C) key to be returned in clear text when a user accesses the /status/config endpoint. The revealed key can be used to decrypt trace data that is stored in an Amazon S3 bucket, thereby leaking the content of those traces. This weakness is a classic example of clear‑text credential storage (CWE‑312) coupled with the use of weak encryption (CWE‑326). The potential consequence is the compromise of all sensitive tracing information that the application collects.

Affected Systems

The only product listed by the advisory is Grafana Tempo. No specific release numbers are provided, so any instance of Tempo could be at risk until a vendor patch is applied. Administrators should assume all deployed Tempo versions are vulnerable unless they verify that a fixed revision has already been installed.

Risk and Exploitability

The CVSS score of 7.5 indicates high impact. The EPSS score shows less than 1% likelihood of exploitation, and the issue is not listed in CISA's KEV catalog. The advisory does not explicitly state whether authentication is required for the /status/config endpoint; it is inferred that the endpoint is accessible to any user who can reach the Tempo service, implying that unauthorized access could obtain the key. With the key exposed, an attacker could decrypt all S3 trace data that was protected by SSE‑C, providing full confidentiality compromise for that data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Grafana

Tempo

unaffected

Version	Status	Constraints
`2.10.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:grafana:tempo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Grafana

Tempo

100%

Version	Status	Scheme	Platform
`2.10.3`	affected	semver	['onprem']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch or upgrade to a fixed Tempo release
Restrict network access to the /status/config endpoint or add authentication so only trusted administrators can query it
Rotate the SSE‑C encryption key used for S3 and re‑encrypt stored trace data if the key may have been compromised

Generated by OpenCVE AI on April 1, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://grafana.com/security/security-advisories/cve-2026-28377
https://nvd.nist.gov/vuln/detail/CVE-2026-28377
https://www.cve.org/CVERecord?id=CVE-2026-28377

History

Tue, 31 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:grafana:tempo::::::::

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-311

Fri, 27 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-326
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-312
References		https://nvd.nist.gov/vuln/detail/CVE-2026-28377 https://www.cve.org/CVERecord?id=CVE-2026-28377
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 27 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-311

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Grafana Grafana tempo
Vendors & Products		Grafana Grafana tempo

Thu, 26 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.
Title		S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)
References		https://grafana.com/security/security-advisories/cve-2026-28377
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Grafana Tempo

MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2026-03-26T21:39:46.928Z

Updated: 2026-04-24T08:00:48.241Z

Reserved: 2026-02-27T07:16:12.218Z

Link: CVE-2026-28377

Vulnrichment

Updated: 2026-03-27T13:31:05.593Z

NVD

Status : Analyzed

Published: 2026-03-26T22:16:28.460

Modified: 2026-03-31T19:00:15.610

Link: CVE-2026-28377

Redhat

Severity : Moderate

Publid Date: 2026-03-26T21:39:46Z

Links: CVE-2026-28377 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T07:56:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object