Description

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.

INFO

Published Date :

2026-04-15T19:15:17.689Z

Last Modified :

2026-04-15T19:33:10.329Z

Source :

GRAFANA
AFFECTED PRODUCTS

The following products are affected by CVE-2025-41118 vulnerability.

Vendors Products
Grafana
  • Pyroscope
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-41118.

URL Resource
https://grafana.com/security/security-advisories/cve-2025-41118 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-41118 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-41118 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact