Skip to main content

Grafana Tempo EUVDEUVD-2026-25408

| CVE-2026-21728 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-24 GRAFANA GHSA-p4r4-xvrq-gvmc
7.5
CVSS 3.1 · Vendor: GRAFANA
Share

Severity by source

Vendor (GRAFANA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GRAFANA).

CVSS VectorVendor: GRAFANA

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 09:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 09:15 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 09:00 euvd
EUVD-2026-25408
Analysis Generated
Apr 24, 2026 - 09:00 vuln.today
CVE Published
Apr 24, 2026 - 08:00 nvd
HIGH 7.5

DescriptionCVE.org

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.

Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

AnalysisAI

Denial of service in Grafana Tempo allows unauthenticated remote attackers to exhaust server memory by sending trace queries with excessively large result limits. The vulnerability causes unbounded memory allocation during query processing, degrading or halting service availability depending on deployment resources. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis. Mitigation available through configuration change rather than software patch.

Technical ContextAI

Grafana Tempo is a distributed tracing backend designed for high-volume trace data storage and retrieval. The vulnerability stems from insufficient validation of the 'limit' parameter in search queries, allowing callers to request arbitrarily large result sets. When processing these queries, Tempo allocates memory proportional to the requested limit before applying data retrieval operations. Without server-side enforcement of maximum result sizes, malicious or misconfigured clients can trigger memory allocations exceeding available system resources. This is a resource exhaustion vulnerability affecting the query processing pipeline. The CPE indicates all versions of Grafana Tempo are potentially affected, though specific vulnerable version ranges have not been published by the vendor.

RemediationAI

Apply the configuration-based mitigation by setting max_result_limit in Tempo's search configuration block to 262144 (2^18) or lower based on operational requirements and available memory resources. This parameter caps the maximum number of trace results returned per query, preventing unbounded memory allocations. Implementation requires modifying the Tempo configuration file (typically tempo.yaml) and restarting the service. Organizations should assess their legitimate maximum query result needs before selecting a limit value, balancing security against operational functionality. Monitor query rejection metrics post-deployment to identify clients requiring limit adjustments. For defense in depth, implement query-side rate limiting at reverse proxy or API gateway layers to restrict total query volume per client. Review https://grafana.com/security/security-advisories/cve-2026-21728 for vendor-recommended configuration examples and any subsequent patched releases that enforce default limits. Note that restricting max_result_limit may break workflows relying on large trace retrievals, requiring application-level pagination changes.

Vendor StatusVendor

Share

EUVD-2026-25408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy