Skip to main content

Tempo Operator EUVDEUVD-2026-43489

| CVE-2026-62147 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-13 redhat
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible gateway API, low complexity, authenticated low-privilege user sufficient; pure confidentiality impact with no integrity or availability effect and no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 12:30 vuln.today

DescriptionCVE.org

The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.

AnalysisAI

Tenant data leakage in the Tempo Operator gateway component (Red Hat OpenShift Distributed Tracing 3) allows an authenticated low-privileged user to read span attributes from namespaces belonging to other tenants. The flaw exists because namespace-scoped redaction is inconsistently applied across certain query API response paths when query RBAC is enabled, meaning the authorization control exists but is not uniformly enforced. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to OpenShift cluster with low-privilege credentials
Delivery
Identify Tempo gateway query API endpoint
Exploit
Send query request targeting unguarded response path
Execution
Bypass namespace-scoped redaction
Persist
Receive span attributes from unauthorized tenant namespace
Impact
Exfiltrate sensitive telemetry or topology data

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions to be true simultaneously: (1) the Tempo Operator gateway must be deployed with query RBAC explicitly enabled - this is a non-default or operator-configured state; (2) the attacker must hold a valid authenticated session with at least low-privilege access to the OpenShift cluster or Tempo gateway API (PR:L per CVSS vector); and (3) the target environment must be multi-tenant, meaning other namespaces with span data must exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) scores 6.5 and accurately reflects the threat model: network-reachable, low complexity, requires only a valid authenticated session, and yields high confidentiality impact limited to the vulnerable system with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with a valid low-privileged account in a multi-tenant OpenShift cluster submits a query to the Tempo Operator gateway's query API targeting a response path where namespace-scoped redaction is not enforced. The response returns span attributes - potentially containing service names, operation parameters, or application-layer metadata - belonging to a different tenant's namespace, which the user is not authorized to see. …
Remediation Consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-62147 and the linked Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2499635 for the official patched version; no specific fix version was confirmed in the data available for this analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43489 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy