Changeflow GovPing Data Privacy & Cybersecurity Grafana Tempo High-Severity DoS Vulnerability R...
Priority review Guidance Added Final

Grafana Tempo High-Severity DoS Vulnerability Resolved — Update Required

Favicon for www.csirt.gov.it Italy CSIRT Advisories
Published
Detected
Email

Summary

Italy's CSIRT issued Alert AL05/260424/CSIRT-ITA disclosing a high-severity denial-of-service vulnerability in Grafana Tempo, an open-source component of the LGTM observability stack (Loki, Grafana, Tempo, Mimir). The vulnerability, tracked as CVE-2026-21728, affects all versions from v1.3.0 through v2.11.0 (exclusive) and could allow a remote attacker to compromise service availability on affected systems. CSIRT-ITA rates the system impact as Medium (CVSS 63.46) and recommends that organisations using Grafana Tempo update to a patched version as specified in Grafana's official security advisory.

Why this matters

Organisations operating Grafana Tempo in observability, DevOps, or infrastructure monitoring pipelines should treat this as a priority patch event. Because Grafana Tempo forms part of the distributed tracing layer in many cloud-native and SRE toolchains, unpatched instances could expose broader platform availability. Security teams should cross-reference this CVE with their CVE-2026-21728 tracking to confirm patch deployment status.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CSIRT-ITA on acn.gov.it . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Italy CSIRT Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 8 changes logged to date.

View original document View source feed page

What changed

CSIRT-ITA published an alert confirming that a high-severity denial-of-service vulnerability has been resolved in Grafana Tempo by the vendor. The alert identifies CVE-2026-21728 as affecting all Grafana Tempo versions from v1.3.0 to v2.11.0 (exclusive) and rates the system impact as Medium (63.46). The sole recommended mitigation is to update affected installations to a fixed version per the Grafana security advisory.

Organisations running Grafana Tempo in any environment — particularly production observability platforms — should immediately inventory their instances, confirm whether any deployed version falls within the affected range, and apply the vendor-issued patch without delay. Failure to remediate leaves the LGTM stack exposed to remote availability compromise. This is a standard vendor-patch advisory; no specific compliance deadlines or penalties are stated.

What to do next

  1. Update vulnerable Grafana Tempo installations to a patched version following the vendor security advisory referenced at grafana.com/security/security-advisories/cve-2026-21728

Related changes

Favicon for www.csirt.gov.it High-Severity Mastodon Vulnerability Allows Security Bypass
Priority review Apr 24, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity
Favicon for www.csirt.gov.it Apache Kafka Critical Auth Bypass Vulnerability CVE-2026-33557 Affects Versions 4.1.x
Priority review Apr 23, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity
Favicon for www.csirt.gov.it Tenable Patches High-Severity Arbitrary Code Execution in Nessus
Urgent Apr 24, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity

Get daily alerts for Italy CSIRT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.csirt.gov.it
Italy CSIRT Advisories csirt.gov.it/contenuti
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CSIRT-ITA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CSIRT-ITA
Published
April 24th, 2026
Instrument
Guidance
Branch
Executive
Source language
it
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability patching Open-source software security Observability platform updates
Geographic scope
IT IT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Software & Technology

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 499 Consumer Protection 141 Courts & Legal 635 Data Privacy & Cybersecurity 150 Defense & National Security 52 Education 64 Energy 138 Environment 170 Gaming 2 Government & Legislation 522 Healthcare 15 Healthcare & Life Sciences 401 Immigration 11 Insurance 90 Labor & Employment 193 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 175 Tax 116 Telecom & Technology 56 Trade & Sanctions 169 Transportation 129

Get alerts for this source

We'll email you when Italy CSIRT Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!