{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28377", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-27T07:16:12.218Z", "datePublished": "2026-03-26T21:39:46.928Z", "dateUpdated": "2026-03-27T14:28:55.765Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:55.765Z"}, "datePublic": "2026-03-26T21:34:51.017Z", "title": "S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)", "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."}], "affected": [{"vendor": "Grafana", "product": "Tempo", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "2.10.3", "status": "affected", "versionType": "semver"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-28377", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-326", "lang": "en", "description": "CWE-326 Inadequate Encryption Strength"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:29:52.402572Z", "id": "CVE-2026-28377", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:54:56.438Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Tempo", "versions": [{"status": "affected", "version": "2.10.3", "versionType": "semver"}], "platforms": ["OnPrem"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-26T21:34:51.017Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-28377", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-26T21:41:06.833Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:29:52.402572Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-326", "description": "CWE-326 Inadequate Encryption Strength"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T13:31:05.593Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-28377", "state": "PUBLISHED", "dateUpdated": "2026-03-26T21:41:06.833Z", "dateReserved": "2026-02-27T07:16:12.218Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-26T21:39:46.928Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad en Grafana Tempo expone la clave de cifrado S3 SSE-C en texto plano a trav\u00e9s del endpoint /status/config, lo que podr\u00eda permitir a usuarios no autorizados obtener la clave utilizada para cifrar los datos de traza almacenados en S3.\n\nGracias a william_goodfellow por informar sobre esta vulnerabilidad."}], "id": "CVE-2026-28377", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-26T22:16:28.460", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-28377"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Grafana Tempo: Grafana Tempo: Information disclosure of S3 encryption key via status config endpoint", "id": "2451990", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451990"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-312", "details": ["A flaw was found in Grafana Tempo. This vulnerability exposes the S3 Server-Side Encryption with Customer-Provided Keys (SSE-C) encryption key in plaintext through the /status/config endpoint. A remote attacker could exploit this to obtain the key, potentially allowing unauthorized access and decryption of sensitive trace data stored in S3."], "mitigation": {"lang": "en:us", "value": "Restrict network access to the Grafana Tempo service to trusted networks only. This will limit the ability of unauthorized remote attackers to access the `/status/config` endpoint and retrieve sensitive S3 encryption keys. Configure firewall rules to prevent external access to the Grafana Tempo service. This mitigation may impact legitimate access if not configured carefully. Ensure network restrictions persist across service reloads or system restarts."}, "name": "CVE-2026-28377", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T21:39:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28377\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28377\nhttps://grafana.com/security/security-advisories/cve-2026-28377"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "2.10.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tempo", "source": "cna", "vendor": "Grafana"}, "product": "tempo", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-03-27T21:38:55.753441+00:00", "value": {"mitigation_remediation": ["Apply the latest Grafana Tempo patch released by the vendor.", "Restrict network access to the /status/config endpoint to trusted hosts or enforce authentication.", "If the endpoint is unnecessary, disable or remove it from the deployment.", "Rotate the S3 SSE\u2011C keys used by Tempo to invalidate any key that may have been leaked.", "Monitor system logs for unexpected access to /status/config and investigate any anomalies."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is Grafana Tempo. The CVE record does not specify particular product versions, implying that any Tempo installation that exposes the /status/config endpoint without proper protection may be impacted.", "description_and_impact": "Grafana Tempo contains a flaw that allows the /status/config endpoint to reveal the S3 key used for server\u2011side encryption with customer\u2011provided keys (SSE\u2011C). Exposure of this key permits an attacker to decrypt trace data stored in S3, compromising the confidentiality of all telemetry data protected by that key. The vulnerability is categorized under CWE\u2011312 (Information Exposure Through Used Secret) and CWE\u2011326 (Cryptographic Failures: Key Management).", "risk_and_exploitability": "The CVSS score of 7.5 signals a high severity vulnerability while the EPSS score is below 1%, indicating current exploitation likelihood is low but future potential remains. The CVE is not listed in the CISA KEV catalog. Exploitation requires access to the /status/config endpoint; if the endpoint is publicly reachable, an unauthenticated attacker can retrieve the key. If the endpoint is shielded by authentication or network controls, the attacker would need limited privileged access. Once the key is obtained, the attacker gains full decryption capability for all trace data protected by that key, representing a significant confidentiality breach."}}}}, "created": "2026-03-27T08:31:40.296020+00:00", "updated": "2026-03-29T20:27:48.051829+00:00", "vendors": ["grafana", "grafana$PRODUCT$tempo"]}