Tempo
Monthly
Grafana Tempo and Enterprise Traces (GET) are vulnerable to an authenticated denial-of-service condition triggered by submitting a TraceQL query containing an excessively large exemplars hint value, causing the Tempo service to allocate unbounded memory until an out-of-memory crash occurs. Any authenticated user with query access - even low-privileged - can exploit this to take down the Tempo tracing backend, disrupting observability pipelines for the entire platform. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Grafana Tempo and Enterprise Traces (GET) are vulnerable to an authenticated denial-of-service condition triggered by submitting a TraceQL query containing an excessively large exemplars hint value, causing the Tempo service to allocate unbounded memory until an out-of-memory crash occurs. Any authenticated user with query access - even low-privileged - can exploit this to take down the Tempo tracing backend, disrupting observability pipelines for the entire platform. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.