Grafana Tempo S3 SSE-C Encryption Key Exposure via /status/config Endpoint
CVE-2026-28377 Published on March 26, 2026

S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.

Vendor Advisory NVD

Weakness Type

Inadequate Encryption Strength

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Affected Versions

Grafana Tempo Version 2.10.3 is affected by CVE-2026-28377

Exploit Probability

EPSS

0.01%

Percentile

1.18%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Grafana Tempo S3 SSE-C Encryption Key Exposure via /status/config EndpointCVE-2026-28377 Published on March 26, 2026

Weakness Type

Inadequate Encryption Strength

Affected Versions

Exploit Probability

Grafana Tempo S3 SSE-C Encryption Key Exposure via /status/config Endpoint
CVE-2026-28377 Published on March 26, 2026