CVE Catalog

CVE-2026-27878

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile — higher than 14% of all known CVEs

Summary

A vulnerability in Grafana Tempo allows an authenticated user to execute a TraceQL query with a large exemplars hint value, causing excessive memory allocation and crashing the Tempo instance due to out-of-memory.

Risk Assessment

An attacker can perform a Denial of Service (DoS) attack on the Tempo service, causing it to crash and disrupting trace monitoring operations.

Recommendation

Immediately update Grafana Tempo to a version that limits the exemplars hint value in TraceQL queries, and implement memory limits for Tempo instances.

Original NVD description (English source)

A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS