CVE-2026-62147

Summary

The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-863: Incorrect Authorization

Workarounds

There is no mitigation or workaround other than upgrading to tempo-operator.v0.21.0-2 (or later); until upgraded, administrators requiring strict namespace isolation of trace data should not rely on query RBAC alone and should consider restricting access to the Tempo query API at the network/route level as a temporary compensating control.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References