EUVD-2026-16424
GHSA-ffqx-q65f-36jf
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.
Analysis
Grafana Tempo leaks S3 SSE-C encryption keys in plaintext through its /status/config endpoint, enabling unauthenticated remote attackers to retrieve encryption keys protecting trace data stored in AWS S3. The CVSS score of 7.5 reflects high confidentiality impact with network-accessible attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all Grafana Tempo deployments and restrict network access to the /status/config endpoint using firewall or WAF rules to block external traffic. Within 7 days: Rotate all S3 SSE-C encryption keys used with affected Tempo instances; document current key exposure scope by reviewing access logs to the /status/config endpoint. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today