Kubernetes
CVE-2025-2786
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.
AnalysisAI
Tempo Operator creates overly-permissive ServiceAccount, ClusterRole, and ClusterRoleBinding resources that allow authenticated namespace users to extract the ServiceAccount token and abuse TokenReview and SubjectAccessReview APIs to enumerate other users' RBAC permissions, facilitating reconnaissance for follow-up attacks. While not enabling privilege escalation or impersonation directly, this information disclosure (CWE-200) under low complexity attack conditions affects any organization running Grafana Tempo Operator in multi-tenant or untrusted Kubernetes environments where namespace isolation is relied upon for security boundaries. EPSS exploitation probability is 0.21% (low), no public exploit code has been identified, and upstream remediation via GitHub PR #1145 has been made available by the Grafana Tempo Operator project.
Technical ContextAI
Tempo Operator is a Kubernetes Operator that automates deployment of Grafana Tempo (a distributed tracing backend) by managing CustomResources such as TempoStack and TempoMonolithic. When these resources are instantiated, the Operator controller creates associated RBAC primitives-ServiceAccount, ClusterRole, and ClusterRoleBinding-to grant the Tempo workload necessary cluster API permissions. The root cause (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) stems from overly broad RBAC permissions assigned to the ServiceAccount, specifically the ability to submit TokenReview and SubjectAccessReview requests without appropriate admission controls or read-only enforcement. These APIs are designed for service-to-service authentication and authorization querying but, when accessible to user-controlled workloads or extracted service account tokens, can be leveraged to enumerate RBAC policies across the cluster. The vulnerability does not require elevated cluster-admin credentials; any authenticated principal with namespace-level access can extract the token and query these APIs.
Affected ProductsAI
Grafana Tempo Operator (all versions prior to the patch commit in GitHub PR #1145) is affected. The vulnerability exists in any Kubernetes cluster where a TempoStack or TempoMonolithic CustomResource is deployed via Tempo Operator. Red Hat has released security updates documented in RHSA-2025:3607 and RHSA-2025:3740. Details are tracked in Red Hat Bugzilla #2354811 (https://bugzilla.redhat.com/show_bug.cgi?id=2354811) and the upstream fix is referenced at https://github.com/grafana/tempo-operator/pull/1145. Exact affected version ranges and patch versions are available through Red Hat's security advisories at https://access.redhat.com/errata/RHSA-2025:3607 and https://access.redhat.com/errata/RHSA-2025:3740.
RemediationAI
Apply the upstream fix available in Grafana Tempo Operator via GitHub PR #1145, which restricts the RBAC permissions assigned to the auto-created ServiceAccount and ClusterRole to remove or limit the ability to submit TokenReview and SubjectAccessReview requests. For Red Hat customers, upgrade to the patched versions indicated in RHSA-2025:3607 and RHSA-2025:3740 (consult https://access.redhat.com/security/cve/CVE-2025-2786 for version mapping). Until patching is deployed, mitigate by enforcing strict network policies to limit egress from Tempo pods to the Kubernetes API server, using admission controllers (e.g., OPA/Gatekeeper) to block TokenReview and SubjectAccessReview calls from service accounts used by Tempo Operator, and restricting kubectl access and ServiceAccount token extraction via RBAC policies that limit who can read secrets in the Tempo namespace. For organizations with multi-tenant clusters, validate that namespace-level service account tokens cannot be exported by untrusted users through pod security standards or network segmentation.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today