CVE-2026-28377

High

Published: 26 March 2026

Published

26 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0001 0.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28377 is a high-severity Inadequate Encryption Strength (CWE-326) vulnerability in Grafana Tempo. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely patching and remediation of the Grafana Tempo flaw exposing the S3 SSE-C encryption key via the /status/config endpoint.

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization mechanisms to block unauthenticated access to the sensitive /status/config endpoint containing the encryption key.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits permitted actions without identification or authentication, specifically prohibiting unauthenticated retrieval of encryption keys from endpoints like /status/config.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1530 Data from Cloud Storage Collection

Adversaries may access data from cloud storage.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing Grafana Tempo /status/config endpoint enables unauthenticated exploitation for initial access (T1190) and directly exposes S3 encryption key (T1552), facilitating decryption and access to cloud-stored trace data (T1530).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.

Deeper analysisAI

CVE-2026-28377 is a vulnerability in Grafana Tempo that exposes the S3 SSE-C encryption key in plaintext via the /status/config endpoint. This flaw affects Grafana Tempo instances configured to store trace data in S3 using SSE-C encryption, as the endpoint reveals the key used to protect that data. The issue, reported by william_goodfellow, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-326.

Any unauthenticated attacker with network access to the vulnerable Grafana Tempo instance can exploit this by sending a request to the /status/config endpoint, obtaining the encryption key directly in plaintext. With the key, the attacker can then decrypt and access sensitive trace data stored in the target S3 bucket, leading to high confidentiality impact without requiring privileges, user interaction, or elevated complexity.

Grafana has issued a security advisory with further details at https://grafana.com/security/security-advisories/cve-2026-28377. Security practitioners should consult this advisory for recommended mitigations and patches.