CVE-2026-21728 — Grafana Tempo has an Uncontrolled Resource Consumption issue

Description

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

How to fix CVE-2026-21728

To remediate CVE-2026-21728, upgrade the affected package to a fixed version below.

—upgrade to 2.8.4 or later

Is CVE-2026-21728 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.3.0, < 2.8.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-21728
PATCHgithub.com/grafana/tempo
WEBgithub.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-10.md?plain=1#L328
WEBgithub.com