{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28377", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-27T07:16:12.218Z", "datePublished": "2026-03-26T21:39:46.928Z", "dateUpdated": "2026-03-26T21:41:06.833Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-26T21:41:06.833Z"}, "datePublic": "2026-03-26T21:34:51.017Z", "title": "S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)", "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."}], "affected": [{"vendor": "Grafana", "product": "Tempo", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "2.10.3", "status": "affected", "versionType": "semver"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-28377", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."}], "id": "CVE-2026-28377", "lastModified": "2026-03-26T22:16:28.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-26T22:16:28.460", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-28377"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "Grafana Tempo: Grafana Tempo: Information disclosure of S3 encryption key via status config endpoint", "id": "2451990", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451990"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-312", "details": ["A flaw was found in Grafana Tempo. This vulnerability exposes the S3 Server-Side Encryption with Customer-Provided Keys (SSE-C) encryption key in plaintext through the /status/config endpoint. A remote attacker could exploit this to obtain the key, potentially allowing unauthorized access and decryption of sensitive trace data stored in S3."], "mitigation": {"lang": "en:us", "value": "Restrict network access to the Grafana Tempo service to trusted networks only. This will limit the ability of unauthorized remote attackers to access the `/status/config` endpoint and retrieve sensitive S3 encryption keys. Configure firewall rules to prevent external access to the Grafana Tempo service. This mitigation may impact legitimate access if not configured carefully. Ensure network restrictions persist across service reloads or system restarts."}, "name": "CVE-2026-28377", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T21:39:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28377\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28377\nhttps://grafana.com/security/security-advisories/cve-2026-28377"], "threat_severity": "Moderate"}