Vulnerability in Pyroscope Database Using Tencent Cloud Object Storage
CVE-2025-41118

9.1CRITICAL

Key Information:

Vendor: Grafana
Status: Pyroscope
Vendor: CVE Published:; 15 April 2026

What is CVE-2025-41118?

The Pyroscope database, particularly when configured with Tencent Cloud Object Storage (COS), has a vulnerability that may allow an attacker to extract sensitive API configuration values, including the secret_key. This occurs when the database is directly accessible through the public internet. Organizations are strongly advised to limit access to the Pyroscope API solely to trusted users or internal systems to mitigate the risk of exploitation. The issue has been addressed in updated versions of the product.

Affected Version(s)

Pyroscope OnPrem 1.0.0 < 1.16.0

References

https://grafana.com/security/security-advisories/cve-2025...

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 16, 2025

CVE-2025-41118 Data

JSON

Grafana

What is CVE-2025-41118?

Affected Version(s)

References

CVSS V3.1

Timeline