Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: tempo

Found 2 matching suggestions

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-21728
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 week, 2 days ago
  • @LeSuisse dismissed (not in Nixpkgs) 1 week ago
Tempo query limit results in unbounded memory allocation

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

Affected products

Tempo
  • <v2.11.0

Matching in nixpkgs

pkgs.tempo

High volume, minimal dependency trace storage

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

pkgs.tempora_lgc

Tempora font

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

pkgs.gnomeExtensions.tempomate

Effortless time tracking in Jira Tempo timesheets!

  • nixos-unstable 17
    • nixpkgs-unstable 17
    • nixos-unstable-small 17
  • nixos-25.11 17
    • nixos-25.11-small 17
    • nixpkgs-25.11-darwin 17

Package maintainers

Published
Permalink CVE-2026-28377
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    31 packages
    • temporal
    • tempora_lgc
    • temporalite
    • temporal-cli
    • temporal_capi
    • temporal-ui-server
    • gnomeExtensions.tempomate
    • haskellPackages.temporary
    • python312Packages.tempora
    • python313Packages.tempora
    • python314Packages.tempora
    • tests.haskell.incremental
    • haskellPackages.temporary-rc
    • python312Packages.temporalio
    • python313Packages.temporalio
    • python314Packages.temporalio
    • haskellPackages.temporal-media
    • terraform-providers.temporalcloud
    • postgresqlPackages.temporal_tables
    • haskellPackages.temporal-api-protos
    • haskellPackages.temporary-resourcet
    • postgresql13Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql17Packages.temporal_tables
    • postgresql18Packages.temporal_tables
    • haskellPackages.temporal-music-notation
    • haskellPackages.temporal-music-notation-demo
    • terraform-providers.temporalio_temporalcloud
    • haskellPackages.temporal-music-notation-western
    1 month, 1 week ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.

Affected products

Tempo
  • ==2.10.3

Matching in nixpkgs

pkgs.tempo

High volume, minimal dependency trace storage

Ignored packages (31)

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

pkgs.tempora_lgc

Tempora font

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.temporalite

Experimental distribution of Temporal that runs as a single process

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

pkgs.gnomeExtensions.tempomate

Effortless time tracking in Jira Tempo timesheets!

  • nixos-unstable 17
    • nixpkgs-unstable 17
    • nixos-unstable-small 17
  • nixos-25.11 17
    • nixos-25.11-small 17
    • nixpkgs-25.11-darwin 17

Package maintainers

Upstream advisory: https://grafana.com/security/security-advisories/cve-2026-28377