Skip to main content

Pyroscope CVE-2025-41118

| EUVDEUVD-2025-209489 CRITICAL
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-04-15 GRAFANA GHSA-m9hq-h476-h2g8
9.1
CVSS 3.1 · Vendor: GRAFANA
Share

Severity by source

Vendor (GRAFANA) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GRAFANA).

CVSS VectorVendor: GRAFANA

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 20, 2026 - 20:10 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
1.16.0
EUVD ID Assigned
Apr 15, 2026 - 19:45 euvd
EUVD-2025-209489
CVE Published
Apr 15, 2026 - 19:15 nvd
CRITICAL 9.1

DescriptionCVE.org

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).

If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.

To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.

This vulnerability is fixed in versions:

1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions).

Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.

Analysis

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).

If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.

To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.

This vulnerability is fixed in versions:

1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions).

Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.

Vendor StatusVendor

Share

CVE-2025-41118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy