CVE-2026-28377 Common Vulnerabilities and Exposures

Upstream information

CVE-2026-28377 at MITRE

Description

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.

Thanks to william_goodfellow for reporting this vulnerability.

SUSE information

Overall state of this security issue: Does not affect SUSE products

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`tempo-cli >= 2.10.3-1.1`	Patchnames: openSUSE-Tumbleweed-2026-10390

SUSE Timeline for this CVE

CVE page created: Thu Mar 19 01:48:34 2026
CVE page last modified: Mon Mar 30 15:57:28 2026