Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible gateway API, low complexity, authenticated low-privilege user sufficient; pure confidentiality impact with no integrity or availability effect and no scope change.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.
AnalysisAI
Tenant data leakage in the Tempo Operator gateway component (Red Hat OpenShift Distributed Tracing 3) allows an authenticated low-privileged user to read span attributes from namespaces belonging to other tenants. The flaw exists because namespace-scoped redaction is inconsistently applied across certain query API response paths when query RBAC is enabled, meaning the authorization control exists but is not uniformly enforced. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete conditions to be true simultaneously: (1) the Tempo Operator gateway must be deployed with query RBAC explicitly enabled - this is a non-default or operator-configured state; (2) the attacker must hold a valid authenticated session with at least low-privilege access to the OpenShift cluster or Tempo gateway API (PR:L per CVSS vector); and (3) the target environment must be multi-tenant, meaning other namespaces with span data must exist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) scores 6.5 and accurately reflects the threat model: network-reachable, low complexity, requires only a valid authenticated session, and yields high confidentiality impact limited to the vulnerable system with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user with a valid low-privileged account in a multi-tenant OpenShift cluster submits a query to the Tempo Operator gateway's query API targeting a response path where namespace-scoped redaction is not enforced. The response returns span attributes - potentially containing service names, operation parameters, or application-layer metadata - belonging to a different tenant's namespace, which the user is not authorized to see. … |
| Remediation | Consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-62147 and the linked Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2499635 for the official patched version; no specific fix version was confirmed in the data available for this analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43489