What is the CVSS score of CVE-2026-28377?

CVE-2026-28377 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Grafana are affected by CVE-2026-28377?

Grafana Tempo instances expose AWS S3 encryption keys through an unauthenticated API endpoint, allowing attackers to bypass encryption protections on trace data stored in cloud infrastructure.. A patch is available.

How to fix or mitigate CVE-2026-28377?

Within 24 hours: Audit all Grafana Tempo deployments and restrict network access to the /status/config endpoint using firewall or WAF rules to block external traffic. Within 7 days: Rotate all S3 SSE-C encryption keys used with affected Tempo instances; document current key exposure scope by reviewing access logs to the /status/config endpoint. Within 30 days: Implement network segmentation to isolate Tempo instances, disable the /status/config endpoint if not operationally required, and monitor vendor advisories for patched versions; consider migrating to S3 SSE-KMS with AWS KMS key management as an alternative encryption approach.

Grafana CVE-2026-28377

EUVD-2026-16424 HIGH

Inadequate Encryption Strength (CWE-326)

2026-03-26 GRAFANA

GHSA-ffqx-q65f-36jf

Grafana Authentication Bypass Red Hat

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Red Hat

6.5 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 26, 2026 - 22:01 euvd

EUVD-2026-16424

Analysis Generated

Mar 26, 2026 - 22:01 vuln.today

CVE Published

Mar 26, 2026 - 21:39 nvd

HIGH 7.5

DescriptionCVE.org

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.

Thanks to william_goodfellow for reporting this vulnerability.

AnalysisAI

Grafana Tempo leaks S3 SSE-C encryption keys in plaintext through its /status/config endpoint, enabling unauthenticated remote attackers to retrieve encryption keys protecting trace data stored in AWS S3. The CVSS score of 7.5 reflects high confidentiality impact with network-accessible attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access /status/config endpoint

Exploit

Retrieve plaintext S3 SSE-C encryption key

Impact

Decrypt trace data in S3 bucket

Access

Access /status/config endpoint

Exploit

Retrieve plaintext S3 SSE-C encryption key

Impact

Decrypt trace data in S3 bucket

Vulnerability AssessmentAI

Exploitation	Grafana Tempo with S3 SSE-C encryption configured. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is significant despite no active exploitation evidence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated remote attacker sends an HTTP GET request to the publicly accessible /status/config endpoint on a Grafana Tempo instance. The server responds with configuration details including the S3 SSE-C encryption key in plaintext. …
Remediation	Consult the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-28377 for official patch versions and upgrade guidance. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Grafana Tempo deployments and restrict network access to the /status/config endpoint using firewall or WAF rules to block external traffic. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM This Month

6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

SUSE

Product	Status
openSUSE Tumbleweed	Fixed

CVE-2026-28377 vulnerability details – vuln.today

Back

Grafana CVE-2026-28377

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code