Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0794

NIXPKGS-2026-0794
published on
Permalink CVE-2026-28377
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    31 packages
    • temporal
    • tempora_lgc
    • temporalite
    • temporal-cli
    • temporal_capi
    • temporal-ui-server
    • gnomeExtensions.tempomate
    • haskellPackages.temporary
    • python312Packages.tempora
    • python313Packages.tempora
    • python314Packages.tempora
    • tests.haskell.incremental
    • haskellPackages.temporary-rc
    • python312Packages.temporalio
    • python313Packages.temporalio
    • python314Packages.temporalio
    • haskellPackages.temporal-media
    • terraform-providers.temporalcloud
    • postgresqlPackages.temporal_tables
    • haskellPackages.temporal-api-protos
    • haskellPackages.temporary-resourcet
    • postgresql13Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql17Packages.temporal_tables
    • postgresql18Packages.temporal_tables
    • haskellPackages.temporal-music-notation
    • haskellPackages.temporal-music-notation-demo
    • terraform-providers.temporalio_temporalcloud
    • haskellPackages.temporal-music-notation-western
    1 month, 1 week ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.

Affected products

Tempo
  • ==2.10.3

Matching in nixpkgs

pkgs.tempo

High volume, minimal dependency trace storage

Ignored packages (31)

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

pkgs.tempora_lgc

Tempora font

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.temporalite

Experimental distribution of Temporal that runs as a single process

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

pkgs.gnomeExtensions.tempomate

Effortless time tracking in Jira Tempo timesheets!

  • nixos-unstable 17
    • nixpkgs-unstable 17
    • nixos-unstable-small 17
  • nixos-25.11 17
    • nixos-25.11-small 17
    • nixpkgs-25.11-darwin 17

Package maintainers

Upstream advisory: https://grafana.com/security/security-advisories/cve-2026-28377