Grafana · Grafana Tempo · CVE-2026-28377
**Name of the Vulnerable Software and Affected Versions**
Grafana Tempo versions prior to 2.10.3
**Description**
A flaw exists in Grafana Tempo that results in the exposure of the S3 SSE-C encryption key in plaintext. This exposure occurs through the `/status/config` API endpoint. Successful exploitation could allow unauthorized users to obtain the key used to encrypt trace data stored in S3.
**Recommendations**
Update to version 2.10.3 or later.