Tempo v2.10.3 released on 17-03-2026
Tempo v2.10.3 is out now. It addresses an information exposure in S3 SSE‑C handling by treating the encryption_key as a secret so it is not exposed in plaintext.
Users running customer‑provided S3 server‑side encryption (SSE‑C) should review the release notes and PR #6711 on the Tempo GitHub for details and the related advisory (CVE-2026-28377).
What’s in this release
- S3 SSE‑C encryption_key is now treated as a secret to prevent it appearing in logs, diagnostics or other outputs (security fix).
- Fix resolves the information exposure tracked as CVE-2026-28377.
- Change implemented in PR #6711 (author: @mattdurham).
Upgrade notes
- Upgrade to v2.10.3 if you use S3 SSE‑C — this is a security‑critical fix that eliminates the plaintext exposure risk.
- If you cannot upgrade immediately: rotate SSE‑C keys, remove keys from logs or configuration files accessible to non‑privileged users, and restrict access to systems that store or process those keys.
Share comments on your experience upgrading or any issues via the Tempo GitHub PR discussion or the repository issue tracker.