Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (GRAFANA).
CVSS VectorVendor: GRAFANA
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).
AnalysisAI
Denial of service in Grafana Tempo allows unauthenticated remote attackers to exhaust server memory by sending trace queries with excessively large result limits. The vulnerability causes unbounded memory allocation during query processing, degrading or halting service availability depending on deployment resources. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis. Mitigation available through configuration change rather than software patch.
Technical ContextAI
Grafana Tempo is a distributed tracing backend designed for high-volume trace data storage and retrieval. The vulnerability stems from insufficient validation of the 'limit' parameter in search queries, allowing callers to request arbitrarily large result sets. When processing these queries, Tempo allocates memory proportional to the requested limit before applying data retrieval operations. Without server-side enforcement of maximum result sizes, malicious or misconfigured clients can trigger memory allocations exceeding available system resources. This is a resource exhaustion vulnerability affecting the query processing pipeline. The CPE indicates all versions of Grafana Tempo are potentially affected, though specific vulnerable version ranges have not been published by the vendor.
RemediationAI
Apply the configuration-based mitigation by setting max_result_limit in Tempo's search configuration block to 262144 (2^18) or lower based on operational requirements and available memory resources. This parameter caps the maximum number of trace results returned per query, preventing unbounded memory allocations. Implementation requires modifying the Tempo configuration file (typically tempo.yaml) and restarting the service. Organizations should assess their legitimate maximum query result needs before selecting a limit value, balancing security against operational functionality. Monitor query rejection metrics post-deployment to identify clients requiring limit adjustments. For defense in depth, implement query-side rate limiting at reverse proxy or API gateway layers to restrict total query volume per client. Review https://grafana.com/security/security-advisories/cve-2026-21728 for vendor-recommended configuration examples and any subsequent patched releases that enforce default limits. Note that restricting max_result_limit may break workflows relying on large trace retrievals, requiring application-level pagination changes.
An issue summary information disclosure vulnerability exists in Atlassian Jira Tempo plugin, version 4.10.0. Rated mediu
Grafana Tempo and Enterprise Traces (GET) are vulnerable to an authenticated denial-of-service condition triggered by su
The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not prop
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25408
GHSA-p4r4-xvrq-gvmc