CVE-2026-21728: Grafana Tempo has an Uncontrolled Resource Consumption issue
(updated )
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).
References
- github.com/advisories/GHSA-p4r4-xvrq-gvmc
- github.com/grafana/tempo
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-10.md?plain=1
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-8.md?plain=1
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-9.md?plain=1
- github.com/grafana/tempo/commit/650eb1985a0776789c8564122990f588a742356f
- github.com/grafana/tempo/pull/6525
- grafana.com/security/security-advisories/cve-2026-21728
- nvd.nist.gov/vuln/detail/CVE-2026-21728
Code Behaviors & Features
Detect and mitigate CVE-2026-21728 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →