{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28377", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-27T07:16:12.218Z", "datePublished": "2026-03-26T21:39:46.928Z", "dateUpdated": "2026-05-13T19:28:35.388Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:35.388Z"}, "datePublic": "2026-03-26T21:34:51.017Z", "title": "S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)", "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."}], "affected": [{"vendor": "Grafana", "product": "Tempo", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "2.10.3", "status": "affected", "versionType": "semver"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-28377", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-326", "lang": "en", "description": "CWE-326 Inadequate Encryption Strength"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:29:52.402572Z", "id": "CVE-2026-28377", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:54:56.438Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:29:52.402572Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-326", "description": "CWE-326 Inadequate Encryption Strength"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:31:05.593Z"}}], "cna": {"title": "S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Tempo", "versions": [{"status": "affected", "version": "2.10.3", "versionType": "semver"}], "platforms": ["OnPrem"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-26T21:34:51.017Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-28377", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:35.388Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28377", "state": "PUBLISHED", "dateUpdated": "2026-05-13T19:28:35.388Z", "dateReserved": "2026-02-27T07:16:12.218Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-26T21:39:46.928Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:tempo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1FEA69C-8014-4D65-AFA0-5C44DF250663", "versionEndExcluding": "2.10.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad en Grafana Tempo expone la clave de cifrado S3 SSE-C en texto plano a trav\u00e9s del endpoint /status/config, lo que podr\u00eda permitir a usuarios no autorizados obtener la clave utilizada para cifrar los datos de traza almacenados en S3.\n\nGracias a william_goodfellow por informar sobre esta vulnerabilidad."}], "id": "CVE-2026-28377", "lastModified": "2026-03-31T19:00:15.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-26T22:16:28.460", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-28377"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Grafana Tempo: Grafana Tempo: Information disclosure of S3 encryption key via status config endpoint", "id": "2451990", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451990"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-312", "details": ["A flaw was found in Grafana Tempo. This vulnerability exposes the S3 Server-Side Encryption with Customer-Provided Keys (SSE-C) encryption key in plaintext through the /status/config endpoint. A remote attacker could exploit this to obtain the key, potentially allowing unauthorized access and decryption of sensitive trace data stored in S3."], "mitigation": {"lang": "en:us", "value": "Restrict network access to the Grafana Tempo service to trusted networks only. This will limit the ability of unauthorized remote attackers to access the `/status/config` endpoint and retrieve sensitive S3 encryption keys. Configure firewall rules to prevent external access to the Grafana Tempo service. This mitigation may impact legitimate access if not configured carefully. Ensure network restrictions persist across service reloads or system restarts."}, "name": "CVE-2026-28377", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T21:39:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28377\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28377\nhttps://grafana.com/security/security-advisories/cve-2026-28377"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "2.10.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tempo", "source": "cna", "vendor": "Grafana"}, "product": "tempo", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-04-01T03:51:45.224651+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch or upgrade to a fixed Tempo release", "Restrict network access to the /status/config endpoint or add authentication so only trusted administrators can query it", "Rotate the SSE\u2011C encryption key used for S3 and re\u2011encrypt stored trace data if the key may have been compromised"], "summary": {"action": "Immediate Patch", "impact": "Confidentiality breach via exposed S3 encryption key"}, "threat_synthesis": {"affected_systems": "The only product listed by the advisory is Grafana Tempo. No specific release numbers are provided, so any instance of Tempo could be at risk until a vendor patch is applied. Administrators should assume all deployed Tempo versions are vulnerable unless they verify that a fixed revision has already been installed.", "description_and_impact": "A flaw in Grafana Tempo allows the S3 server\u2011side encryption (SSE\u2011C) key to be returned in clear text when a user accesses the /status/config endpoint. The revealed key can be used to decrypt trace data that is stored in an Amazon S3 bucket, thereby leaking the content of those traces. This weakness is a classic example of clear\u2011text credential storage (CWE\u2011312) coupled with the use of weak encryption (CWE\u2011326). The potential consequence is the compromise of all sensitive tracing information that the application collects.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high impact. The EPSS score shows less than 1% likelihood of exploitation, and the issue is not listed in CISA's KEV catalog. The advisory does not explicitly state whether authentication is required for the /status/config endpoint; it is inferred that the endpoint is accessible to any user who can reach the Tempo service, implying that unauthorized access could obtain the key. With the key exposed, an attacker could decrypt all S3 trace data that was protected by SSE\u2011C, providing full confidentiality compromise for that data."}}}}, "created": "2026-03-27T08:31:40.296020+00:00", "updated": "2026-04-02T07:56:13.324331+00:00", "vendors": ["grafana", "grafana$PRODUCT$tempo"]}