CVE-2025-41118
published 2026-04-15CVE-2025-41118: Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the…
PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.41%
32.4th percentile
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).
If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.
To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.
This vulnerability is fixed in versions:
1.15.x: 1.15.2 and above.
1.16.x: 1.16.1 and above.
1.17.x: 1.17.0 and above (i.e. all versions).
Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_pyroscope | >= 0 < 1.15.2 | 1.15.2 |
| github.com | grafana_pyroscope | >= 1.16.0 < 1.16.1 | 1.16.1 |
| grafana | grafana | — | — |
| grafana | pyroscope | < 1.15.2 | 1.15.2 |
| grafana | pyroscope | — | — |
| grafana | pyroscope | >= 1.0.0 < 1.16.0 | 1.16.0 |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel8 | — | — |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| rhacm2 | acm-grafana-rhel9 | — | — |
| rhceph | rhceph-5-dashboard-rhel8 | — | — |
| rhceph | rhceph-6-dashboard-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated or unauthorized access to the Pyroscope configuration API endpoint, which may expose the Tencent COS `secret_key` in plaintext ↗
- →Alert on plaintext exposure of `secret_key` values in Pyroscope API responses when COS is configured as the storage backend ↗
- →Flag Pyroscope instances running versions below 1.15.2 (1.15.x branch), below 1.16.1 (1.16.x branch), or any pre-1.17.0 release as vulnerable when COS backend is in use ↗
- ·Vulnerability is only exploitable when Tencent Cloud Object Storage (COS) is configured as the Pyroscope storage backend; deployments using other backends are not affected ↗
- ·Exploitation requires direct access to the Pyroscope API; limiting network exposure to trusted users or internal systems is the recommended mitigation ↗
- ·Root cause is a missing type protection on the configuration API, not a network-level flaw — patching to fixed versions is required for full remediation ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pyroscope: sensitive COS SecretKey exposed in plaintext via configuration API due to missing type protection
vendor_redhat·2026-04-15·CVSS 9.1
CVE-2025-41118 [CRITICAL] CWE-201 pyroscope: sensitive COS SecretKey exposed in plaintext via configuration API due to missing type protection
pyroscope: sensitive COS SecretKey exposed in plaintext via configuration API due to missing type protection
A flaw was found in Pyroscope. When Tencent Cloud Object Storage (COS) is configured as the storage backend, an attacker with access to the Pyroscope API can extract the `secret_key` value in plaintext. This issue leads to sensitive information disclosure.
Statement: This flaw allows an attacker with direct access to the Pyroscope API to extract the Tencent Cloud Object Storage (COS) `secret_key` in plaintext when COS is configured as the storage backend. Due to this reason, this vulnerability has been rated with an important severity.
Mitigation: To mitigate this vulnerability, limit network exposure of the Pyroscope API so it is only accessible by trusted users on the internal
VulDB
Grafana Pyroscope up to 1.15.x API secret_key Remote Code Execution
vuldb·2026-04-16·CVSS 9.1
CVE-2025-41118 [CRITICAL] Grafana Pyroscope up to 1.15.x API secret_key Remote Code Execution
A vulnerability was found in Grafana Pyroscope up to 1.15.x. It has been classified as critical. This impacts an unknown function of the component API. This manipulation of the argument secret_key causes Remote Code Execution.
This vulnerability is tracked as CVE-2025-41118. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
Exposure of Storage Secret in Pyroscope
ghsa·2026-04-15
CVE-2025-41118 [CRITICAL] CWE-200 Exposure of Storage Secret in Pyroscope
Exposure of Storage Secret in Pyroscope
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).
If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.
To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.
This vulnerability is fixed in versions:
1.15.x: 1.15.2 and above.
1.16.x: 1.16.1 and above.
1.17.x: 1.17.0 and above (i.e. all versions).
Thanks to Théo Cusnir for reporting this vulnerability to us via o
GHSA
GHSA-m9hq-h476-h2g8: Pyroscope is an open-source continuous profiling database
ghsa_unreviewed·2026-04-15
CVE-2025-41118 [CRITICAL] GHSA-m9hq-h476-h2g8: Pyroscope is an open-source continuous profiling database
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).
If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.
To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.
This vulnerability is fixed in versions:
1.15.x: 1.15.2 and above.
1.16.x: 1.16.1 and above.
1.17.x: 1.17.0 and above (i.e. all versions).
Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.
No detection rules found.
No public exploits indexed.
2026-04-15
Published