Description
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.

Thanks to william_goodfellow for reporting this vulnerability.
Published: 2026-03-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Sensitive S3 encryption key exposed, compromising trace data confidentiality
Action: Apply Patch
AI Analysis

Impact

This vulnerability causes the SSE‑C encryption key used for securing trace data stored in Amazon S3 to be returned in cleartext when a user queries the /status/config endpoint of Grafana Tempo. Exposure of the key would allow anyone who can reach that endpoint to decrypt all the trace data that is encrypted with SSE‑C, compromising confidentiality and potentially revealing sensitive infrastructure or user information. The flaw arises because the key is not protected or authenticated before it is sent back to the requester.

Affected Systems

Grafana Tempo is affected. No specific version numbers have been published in the advisory; administrators should verify whether their Tempo instance is running a version that implements SSE‑C and consult the vendor for patch availability.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk level, and the lack of authentication on the /status/config endpoint means an attacker with network access to the Tempo service can retrieve the key without needing valid credentials. Because EPSS is not available and the vulnerability is not listed in KEV, the quantitive probability remains unknown, but the attack surface is clear and straightforward. Rapid exploitation could occur if the service is exposed to the internet or an internal network with insufficient controls. This combination of high impact and easy exploitation elevates the urgency for remediation.

Generated by OpenCVE AI on March 26, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Grafana Tempo to the latest version that contains the fix for this vulnerability.
  • Restrict access to the /status/config endpoint by applying firewall rules or VPN restrictions so that only trusted administrators can call it.
  • Disable or reconfigure the use of S3 SSE‑C keys if possible until a patch is applied, preventing the key from being exposed through the endpoint.

Generated by OpenCVE AI on March 26, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-311

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana tempo
Vendors & Products Grafana
Grafana tempo

Thu, 26 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.
Title S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Grafana Tempo
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-03-26T21:41:06.833Z

Reserved: 2026-02-27T07:16:12.218Z

Link: CVE-2026-28377

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T22:16:28.460

Modified: 2026-03-26T22:16:28.460

Link: CVE-2026-28377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:06Z

Weaknesses