CVE-2026-27878 | A TraceQL query in Grafana Tempo with a large exemplars hint… | CVSS 6.5 MEDIUM

Description

A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.

Metadata

CVE ID: CVE-2026-27878
State: PUBLISHED
Assigner: GRAFANA
Reserved: 2026-02-24 14:30 UTC
Published: 2026-06-19 19:02 UTC
Last updated: 2026-06-19 19:03 UTC
Vendor / Product: Grafana / Enterprise Traces (GET)
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products (2)

Vendor	Product	Platform	Versions
Grafana	Enterprise Traces (GET)	—	2.6.1 < 2.8.8
Grafana	Tempo	—	2.6.0 < 2.10.2

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (1)

https://grafana.com/security/security-advisories/cve-2026-27878