The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.
History

Mon, 13 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 12:00:00 +0000

Type Values Removed Values Added
Description The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.
Title Tempo-operator: tempo operator: query rbac bypass
First Time appeared Redhat
Redhat openshift Distributed Tracing
Weaknesses CWE-863
CPEs cpe:/a:redhat:openshift_distributed_tracing:3
Vendors & Products Redhat
Redhat openshift Distributed Tracing
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-13T13:43:50.023Z

Reserved: 2026-07-13T11:29:50.979Z

Link: CVE-2026-62147

cve-icon Vulnrichment

Updated: 2026-07-13T13:43:46.378Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T14:15:15Z