Tempo v2.10.3 released on 17-03-2026
Tempo v2.10.3 is out now. The release marks the S3 SSE‑C configuration field encryption_key as a secret so it will no longer be exposed in plaintext, resolving CVE‑2026‑28377 and reducing the risk of accidental disclosure of customer‑supplied SSE‑C keys.
Operators should consult the Tempo GitHub release and PR #6711 for the full technical details and follow the provided mitigation and upgrade guidance.
What’s in this release
- S3 SSE‑C configuration field encryption_key is now treated as a secret to prevent plaintext exposure.
- Fix resolves CVE‑2026‑28377; implemented in PR #6711 by @mattdurham.
- Prevents prior leakage paths where keys could appear in configs, logs or API outputs.
Upgrade notes
- Systems not using SSE‑C are not affected; SSE‑C users should prioritise upgrading to v2.10.3 and rotate any SSE‑C keys that may have been exposed before the upgrade.
- For rolling clusters, upgrade agents and servers consistently to avoid mixed behaviour; test key handling in a staging environment and verify logs and debug outputs do not contain the encryption_key after upgrade.
Share comments on your experience with the upgrade or key rotation, especially if you manage SSE‑C keys or need to audit prior exposures.