CVE-2025-41118
Published: 15 April 2026
Summary
CVE-2025-41118 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Grafana Pyroscope. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely installation of vendor patches for Pyroscope versions 1.15.2+, 1.16.1+, or 1.17.0+ directly eliminates the API exposure of the Tencent COS secret_key.
Boundary protection controls and monitors external network access to the Pyroscope API, preventing remote attackers from reaching the vulnerable endpoint as recommended in the advisory.
Enforces logical access controls on the Pyroscope API to require authentication and authorization, blocking unauthorized extraction of the secret_key configuration value.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public Pyroscope API exposure of COS secret_key directly enables remote exploitation for credential theft (T1552) and initial cloud access (T1190).
NVD Description
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value…
more
from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.
Deeper analysisAI
CVE-2025-41118 is a vulnerability in Pyroscope, an open-source continuous profiling database that supports various storage backends, including Tencent Cloud Object Storage (COS). When configured to use Tencent COS as the storage backend, the Pyroscope API improperly exposes the secret_key configuration value, allowing unauthorized extraction. The issue is rated at CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-732.
An attacker with direct access to the Pyroscope API can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. Successful exploitation enables extraction of the Tencent COS secret_key, potentially granting unauthorized access to the associated cloud storage backend and compromising confidentiality and integrity of stored profiling data.
The Grafana security advisory at https://grafana.com/security/security-advisories/cve-2025-41118 details the fix in Pyroscope versions 1.15.2 and above for the 1.15.x series, 1.16.1 and above for the 1.16.x series, and all versions of 1.17.x. It recommends limiting public internet exposure of Pyroscope instances to trusted users or internal systems only. The vulnerability was reported by Théo Cusnir via the bug bounty program.
Details
- CWE(s)