A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.
Thanks to william_goodfellow for reporting this vulnerability.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"last_affected": "2.10.3"
}
]
}
],
"cna_assigner": "GRAFANA",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28377.json"
}