Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: tempo

Found 3 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-27878
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 13 hours ago Activity log
  • Created suggestion 13 hours ago
Tempo TraceQL query with exemplar hint could result in unbounded memory usage

A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.

Affected products

Tempo
  • <2.10.2
Enterprise Traces (GET)
  • <2.8.8

Matching in nixpkgs

pkgs.tempo

High volume, minimal dependency trace storage

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

pkgs.tempora_lgc

Tempora font

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

pkgs.gnomeExtensions.tempomate

Effortless time tracking in Jira Tempo timesheets!

  • nixos-unstable 17
    • nixpkgs-unstable 17
    • nixos-unstable-small 17
  • nixos-26.05 17
    • nixos-26.05-small 17
    • nixpkgs-26.05-darwin 17

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-21728
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse dismissed (not in Nixpkgs) 1 month, 3 weeks ago
Tempo query limit results in unbounded memory allocation

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

Affected products

Tempo
  • <v2.11.0

Matching in nixpkgs

pkgs.tempo

High volume, minimal dependency trace storage

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

pkgs.tempora_lgc

Tempora font

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

pkgs.temporal_capi

A Rust implementation of ECMAScript's Temporal API

Package maintainers

Published
Permalink CVE-2026-28377
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    31 packages
    • temporal
    • tempora_lgc
    • temporalite
    • temporal-cli
    • temporal_capi
    • temporal-ui-server
    • gnomeExtensions.tempomate
    • haskellPackages.temporary
    • python312Packages.tempora
    • python313Packages.tempora
    • python314Packages.tempora
    • tests.haskell.incremental
    • haskellPackages.temporary-rc
    • python312Packages.temporalio
    • python313Packages.temporalio
    • python314Packages.temporalio
    • haskellPackages.temporal-media
    • terraform-providers.temporalcloud
    • postgresqlPackages.temporal_tables
    • haskellPackages.temporal-api-protos
    • haskellPackages.temporary-resourcet
    • postgresql13Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql17Packages.temporal_tables
    • postgresql18Packages.temporal_tables
    • haskellPackages.temporal-music-notation
    • haskellPackages.temporal-music-notation-demo
    • terraform-providers.temporalio_temporalcloud
    • haskellPackages.temporal-music-notation-western
    2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago
S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.

Affected products

Tempo
  • ==2.10.3

Matching in nixpkgs

pkgs.tempo

High volume, minimal dependency trace storage

Ignored packages (31)

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

pkgs.tempora_lgc

Tempora font

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

pkgs.temporal_capi

A Rust implementation of ECMAScript's Temporal API

Package maintainers

Upstream advisory: https://grafana.com/security/security-advisories/cve-2026-28377