CVE-2026-28377
Received Received - Intake
Plaintext Exposure of S3 SSE-C Key via Grafana Tempo /status/config

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: Grafana Labs

Description
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28377
EUVD
EUVD-2026-16424
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grafana tempo to 2.10.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint.

Because the encryption key is exposed, unauthorized users could potentially obtain the key used to encrypt trace data stored in S3.

Impact Analysis

The exposure of the S3 SSE-C encryption key can allow unauthorized users to access encrypted trace data stored in S3.

This compromises the confidentiality of sensitive trace data, potentially leading to data breaches.

Compliance Impact

This vulnerability exposes the S3 SSE-C encryption key in plaintext, potentially allowing unauthorized access to encrypted trace data stored in S3.

Such exposure of encryption keys can lead to unauthorized data access, which may result in non-compliance with data protection standards and regulations like GDPR and HIPAA that require protection of sensitive data.

Therefore, this vulnerability could negatively impact compliance by compromising the confidentiality of protected data.

Detection Guidance

This vulnerability can be detected by checking if the /status/config endpoint of your Grafana Tempo instance exposes the S3 SSE-C encryption key in plaintext.

You can use commands like curl to query this endpoint and inspect the response for the presence of the encryption key.

  • curl -s http://<tempo-server>/status/config | grep -i 'encryptionKey'

If the encryption key is visible in the response, your system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade Grafana Tempo to version 2.10.3 or later, where this vulnerability has been fixed.

Until the upgrade is applied, restrict access to the /status/config endpoint to trusted users only to prevent unauthorized retrieval of the encryption key.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28377. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart