CVE-2026-28377

ADVISORY - github

Summary

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.

Grafana thanks william_goodfellow for reporting this vulnerability.

EPSS Score⁠: 0.00008 (0.007)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-326⁠

Inadequate Encryption Strength

ADVISORY - github

CWE-326⁠

Inadequate Encryption Strength

ADVISORY - redhat

CWE-312⁠

Cleartext Storage of Sensitive Information

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.