cbcvebase.
CVE-2025-41118
published 2026-04-15

CVE-2025-41118: Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the…

PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.41%
32.4th percentile
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.

Affected

11 ranges
VendorProductVersion rangeFixed in
github.comgrafana_pyroscope>= 0 < 1.15.21.15.2
github.comgrafana_pyroscope>= 1.16.0 < 1.16.11.16.1
grafanagrafana
grafanapyroscope< 1.15.21.15.2
grafanapyroscope
grafanapyroscope>= 1.0.0 < 1.16.01.16.0
multicluster-globalhubmulticluster-globalhub-grafana-rhel8
multicluster-globalhubmulticluster-globalhub-grafana-rhel9
rhacm2acm-grafana-rhel9
rhcephrhceph-5-dashboard-rhel8
rhcephrhceph-6-dashboard-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unauthenticated or unauthorized access to the Pyroscope configuration API endpoint, which may expose the Tencent COS `secret_key` in plaintext
  • Alert on plaintext exposure of `secret_key` values in Pyroscope API responses when COS is configured as the storage backend
  • Flag Pyroscope instances running versions below 1.15.2 (1.15.x branch), below 1.16.1 (1.16.x branch), or any pre-1.17.0 release as vulnerable when COS backend is in use
  • ·Vulnerability is only exploitable when Tencent Cloud Object Storage (COS) is configured as the Pyroscope storage backend; deployments using other backends are not affected
  • ·Exploitation requires direct access to the Pyroscope API; limiting network exposure to trusted users or internal systems is the recommended mitigation
  • ·Root cause is a missing type protection on the configuration API, not a network-level flaw — patching to fixed versions is required for full remediation

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.