CVE-2026-28377
Plaintext Exposure of S3 SSE-C Key via Grafana Tempo /status/config
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | tempo | to 2.10.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint.
Because the encryption key is exposed, unauthorized users could potentially obtain the key used to encrypt trace data stored in S3.
How can this vulnerability impact me? :
The exposure of the S3 SSE-C encryption key can allow unauthorized users to access encrypted trace data stored in S3.
This compromises the confidentiality of sensitive trace data, potentially leading to data breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes the S3 SSE-C encryption key in plaintext, potentially allowing unauthorized access to encrypted trace data stored in S3.
Such exposure of encryption keys can lead to unauthorized data access, which may result in non-compliance with data protection standards and regulations like GDPR and HIPAA that require protection of sensitive data.
Therefore, this vulnerability could negatively impact compliance by compromising the confidentiality of protected data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the /status/config endpoint of your Grafana Tempo instance exposes the S3 SSE-C encryption key in plaintext.
You can use commands like curl to query this endpoint and inspect the response for the presence of the encryption key.
- curl -s http://<tempo-server>/status/config | grep -i 'encryptionKey'
If the encryption key is visible in the response, your system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Grafana Tempo to version 2.10.3 or later, where this vulnerability has been fixed.
Until the upgrade is applied, restrict access to the /status/config endpoint to trusted users only to prevent unauthorized retrieval of the encryption key.