CVE-2026-28377
ADVISORY - githubSummary
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.
Grafana thanks william_goodfellow for reporting this vulnerability.
Common Weakness Enumeration (CWE)
Inadequate Encryption Strength
Inadequate Encryption Strength
Cleartext Storage of Sensitive Information
NIST
3.9
CVSS SCORE
7.5highGitHub
3.9
CVSS SCORE
7.5highGoLang
-
Red Hat
2.8
CVSS SCORE
6.5mediumChainguard
CGA-2x6g-q6mj-7gf2
-
minimos
MINI-36mw-g675-43x2
-
minimos
MINI-4m3r-pp45-j64h
-
minimos
MINI-5g2p-jcqx-x3jw
-
minimos
MINI-5rqm-2mx5-xf4q
-
minimos
MINI-6whv-mj47-cf6g
-
minimos
MINI-79m3-25gj-89gh
-
minimos
MINI-7frh-jhfm-pg4h
-
minimos
MINI-7gpw-g5rf-cpvr
-
minimos
MINI-86wq-3h23-58jh
-
minimos
MINI-97hx-9jg6-cph4
-
minimos
MINI-9qc2-9c4p-crr4
-
minimos
MINI-cwp3-vxfg-6whh
-
minimos
MINI-j8p6-57qm-g9pp
-
minimos
MINI-phqc-8q3j-q3fm
-
minimos
MINI-pwmx-hx76-446w
-
minimos
MINI-qfhg-cf95-p92r
-
minimos
MINI-r294-4x54-f49f
-
minimos
MINI-rv54-m5mp-mj44
-