CVE-2026-28377: S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.
Thanks to william_goodfellow for reporting this vulnerability.
Security readout for executives and security teams
Plain-English summary
Grafana Tempo 2.10.3 can expose an S3 customer-provided encryption key in plaintext through its /status/config endpoint. If that endpoint is reachable by an unauthorized user, the key protecting trace data in S3 could be disclosed. The known impact is loss of confidentiality, not data modification or service outage.
Executive priority
Prioritize within the current remediation cycle if Tempo 2.10.3 uses S3 SSE-C. Escalate faster if the status endpoint is internet-facing or shared across untrusted networks.
Technical view
The source describes a network-reachable, unauthenticated confidentiality issue in Tempo 2.10.3. The /status/config endpoint may reveal the S3 SSE-C encryption key in plaintext. CVSS 3.1 is 7.5 with high confidentiality impact and no stated integrity or availability impact. No fixed version is provided in the supplied sources.
Likely exposure
Organizations running Grafana Tempo 2.10.3 with S3 SSE-C configured are the relevant exposure group. Risk is highest where /status/config is reachable without strong access controls.
Exploitation context
The CVE record does not indicate KEV listing or active exploitation. The provided evidence supports unauthenticated network exposure of sensitive configuration, but does not provide public exploit evidence or attacker activity.
Researcher notes
Evidence is limited to the CVE bundle and Grafana advisory reference. The issue matches a sensitive-configuration-disclosure pattern: secret material appears in an operational config endpoint. Confirm behavior only in authorized environments and avoid retaining exposed key material.
Mitigation direction
Review the Grafana advisory for official fixed versions or supported workarounds.
Restrict access to Tempo status and configuration endpoints to trusted administrative networks.
Treat exposed S3 SSE-C keys as compromised and rotate them after containment.
Review S3 trace data access controls and least-privilege permissions.
Upgrade Tempo when Grafana identifies a corrected release.
Validation and detection
Inventory Grafana Tempo deployments and identify any running version 2.10.3.
Confirm whether S3 SSE-C is configured for trace storage.
Verify /status/config is not publicly or broadly reachable.
Check controlled endpoint output for plaintext sensitive S3 key material.
Review access logs for unexpected /status/config requests.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-326: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-326 · source CWE mapping
Inadequate Encryption Strength
Inadequate Encryption Strength represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.