How to fix CVE-2025-2786?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.

Is Kubernetes affected by CVE-2025-2786?

Organizations using A flaw should be aware of moderate risk from CVE-2025-2786, a information exposure vulnerability rated CVSS 4.3. Sensitive information could be exposed to unauthorized parties. Organizations should apply vendor updates when available and monitor for exploitation.

CVE-2025-2786

MEDIUM

2025-04-02 [email protected]

4.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 22, 2026 - 05:22 vuln.today

CVE Published

Apr 02, 2025 - 11:15 nvd

MEDIUM 4.3

Description

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.

Analysis

Tempo Operator creates overly-permissive ServiceAccount, ClusterRole, and ClusterRoleBinding resources that allow authenticated namespace users to extract the ServiceAccount token and abuse TokenReview and SubjectAccessReview APIs to enumerate other users' RBAC permissions, facilitating reconnaissance for follow-up attacks. While not enabling privilege escalation or impersonation directly, this information disclosure (CWE-200) under low complexity attack conditions affects any organization running Grafana Tempo Operator in multi-tenant or untrusted Kubernetes environments where namespace isolation is relied upon for security boundaries. EPSS exploitation probability is 0.21% (low), no public exploit code has been identified, and upstream remediation via GitHub PR #1145 has been made available by the Grafana Tempo Operator project.

Technical Context

Tempo Operator is a Kubernetes Operator that automates deployment of Grafana Tempo (a distributed tracing backend) by managing CustomResources such as TempoStack and TempoMonolithic. When these resources are instantiated, the Operator controller creates associated RBAC primitives-ServiceAccount, ClusterRole, and ClusterRoleBinding-to grant the Tempo workload necessary cluster API permissions. The root cause (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) stems from overly broad RBAC permissions assigned to the ServiceAccount, specifically the ability to submit TokenReview and SubjectAccessReview requests without appropriate admission controls or read-only enforcement. These APIs are designed for service-to-service authentication and authorization querying but, when accessible to user-controlled workloads or extracted service account tokens, can be leveraged to enumerate RBAC policies across the cluster. The vulnerability does not require elevated cluster-admin credentials; any authenticated principal with namespace-level access can extract the token and query these APIs.

Affected Products

Grafana Tempo Operator (all versions prior to the patch commit in GitHub PR #1145) is affected. The vulnerability exists in any Kubernetes cluster where a TempoStack or TempoMonolithic CustomResource is deployed via Tempo Operator. Red Hat has released security updates documented in RHSA-2025:3607 and RHSA-2025:3740. Details are tracked in Red Hat Bugzilla #2354811 (https://bugzilla.redhat.com/show_bug.cgi?id=2354811) and the upstream fix is referenced at https://github.com/grafana/tempo-operator/pull/1145. Exact affected version ranges and patch versions are available through Red Hat's security advisories at https://access.redhat.com/errata/RHSA-2025:3607 and https://access.redhat.com/errata/RHSA-2025:3740.

Remediation

Apply the upstream fix available in Grafana Tempo Operator via GitHub PR #1145, which restricts the RBAC permissions assigned to the auto-created ServiceAccount and ClusterRole to remove or limit the ability to submit TokenReview and SubjectAccessReview requests. For Red Hat customers, upgrade to the patched versions indicated in RHSA-2025:3607 and RHSA-2025:3740 (consult https://access.redhat.com/security/cve/CVE-2025-2786 for version mapping). Until patching is deployed, mitigate by enforcing strict network policies to limit egress from Tempo pods to the Kubernetes API server, using admission controllers (e.g., OPA/Gatekeeper) to block TokenReview and SubjectAccessReview calls from service accounts used by Tempo Operator, and restricting kubectl access and ServiceAccount token extraction via RBAC policies that limit who can read secrets in the Tempo namespace. For organizations with multi-tenant clusters, validate that namespace-level service account tokens cannot be exported by untrusted users through pod security standards or network segmentation.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +22

POC: 0

Vendor Status

CVE-2025-2786 vulnerability details – vuln.today

Back

CVE-2025-2786

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-2786

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code