PT-2026-26315 · Grafana+1 · Grafana Tempo+1

William_Goodfellow

·

Published

2026-03-16

·

Updated

2026-06-25

·

CVE-2026-28377

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions Grafana Tempo versions prior to 2.10.3
Description A flaw exists in Grafana Tempo that results in the exposure of the S3 SSE-C encryption key in plaintext. This exposure occurs through the /status/config API endpoint. Successful exploitation could allow unauthorized users to obtain the key used to encrypt trace data stored in S3.
Recommendations Update to version 2.10.3 or later.

Exploit

Fix

Inadequate Encryption Strength

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-06943
CLEANSTART-2026-KC83705
CLEANSTART-2026-YF74364
CLEANSTART-2026-ZI02697
CVE-2026-28377
GHSA-FFQX-Q65F-36JF
GO-2026-5359
OPENSUSE-SU-2026:10390-1

Affected Products

Grafana Tempo
Red Os