Bug 2499635 (CVE-2026-62147) - CVE-2026-62147 tempo-operator: Tempo Operator: Query RBAC bypass
Summary: CVE-2026-62147 tempo-operator: Tempo Operator: Query RBAC bypass
Keywords:
Status: NEW
Alias: CVE-2026-62147
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-13 10:03 UTC by OSIDB Bzimport
Modified: 2026-07-13 11:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-13 10:03:40 UTC
A flaw was found in the Tempo Operator's gateway component used by Red Hat OpenShift distributed tracing platform to enforce per-namespace access control on trace queries; when query RBAC is enabled, an authorization logic error caused some query API code paths to skip the expected redaction, allowing a user authorized for at least one namespace's traces to retrieve span attributes from namespaces they are not authorized to access. The highest threat is to confidentiality of tracing data; there is no impact to integrity, availability, or broader cluster privileges, and deployments that do not enable query RBAC are not affected by this specific bypass.

Comment 1 Yadnyawalk Tale 2026-07-13 10:09:20 UTC
CVSS Justification:
AV:N (Network) — The Tempo query API/gateway is reachable over the network (e.g., via a route/service), so no local access to a node or pod is needed.
AC:L (Low) — Exploitation just requires sending a normal query request to the affected endpoints; no special conditions or timing are involved.
PR:L (Low) — Attacker needs to be an authenticated user with access to at least one namespace's traces, not elevated/admin privileges.
UI:N (None) — No action from another user or admin is required to trigger the unredacted response.
S:U (Unchanged) — The bypass stays within the same security authority (the tracing platform's own authorization layer); it doesn't escalate into a different component or host boundary.
C:H (High) — An attacker can read span attributes from namespaces they aren't authorized for, with no restriction on which namespaces' data is exposed.
I:N (None) — The flaw only discloses data; it doesn't allow modifying trace data, configuration, or anything else.
A:N (None) — There's no impact on availability of the tracing service or any other component.


Note You need to log in before you can comment on or make changes to this bug.