CVE-2026-62147 (GCVE-0-2026-62147)
Vulnerability from cvelistv5 – Published: 2026-07-13 11:43 – Updated: 2026-07-13 13:43
VLAI
EPSS
VEX
Title
Tempo-operator: tempo operator: query rbac bypass
Summary
The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-62147 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2499635 | issue-trackingx_refsource_REDHAT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat OpenShift distributed tracing 3 |
cpe:/a:redhat:openshift_distributed_tracing:3 |
Date Public
2026-07-13 10:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-62147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T13:43:40.942746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T13:43:50.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3"
],
"defaultStatus": "affected",
"packageName": "rhosdt/tempo-operator-bundle",
"product": "Red Hat OpenShift distributed tracing 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3"
],
"defaultStatus": "affected",
"packageName": "rhosdt/tempo-rhel9-operator",
"product": "Red Hat OpenShift distributed tracing 3",
"vendor": "Red Hat"
}
],
"datePublic": "2026-07-13T10:00:13.312Z",
"descriptions": [
{
"lang": "en",
"value": "The Tempo Operator\u0027s gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants\u0027 namespaces."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T11:43:59.024Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-62147"
},
{
"name": "RHBZ#2499635",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2499635"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T09:58:14.425Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-07-13T10:00:13.312Z",
"value": "Made public."
}
],
"title": "Tempo-operator: tempo operator: query rbac bypass",
"workarounds": [
{
"lang": "en",
"value": "There is no mitigation or workaround other than upgrading to tempo-operator.v0.21.0-2 (or later); until upgraded, administrators requiring strict namespace isolation of trace data should not rely on query RBAC alone and should consider restricting access to the Tempo query API at the network/route level as a temporary compensating control."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-863: Incorrect Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-62147",
"datePublished": "2026-07-13T11:43:59.024Z",
"dateReserved": "2026-07-13T11:29:50.979Z",
"dateUpdated": "2026-07-13T13:43:50.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-62147\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2026-07-13T12:16:34.927\",\"lastModified\":\"2026-07-13T17:01:11.600\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Tempo Operator\u0027s gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants\u0027 namespaces.\"}],\"affected\":[{\"source\":\"secalert@redhat.com\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift distributed tracing 3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhosdt/tempo-operator-bundle\",\"cpes\":[\"cpe:/a:redhat:openshift_distributed_tracing:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift distributed tracing 3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhosdt/tempo-rhel9-operator\",\"cpes\":[\"cpe:/a:redhat:openshift_distributed_tracing:3\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-13T13:43:40.942746Z\",\"id\":\"CVE-2026-62147\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-62147\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2499635\",\"source\":\"secalert@redhat.com\"}]}}",
"redhat_vex": {
"aggregate_severity": "Moderate",
"current_release_date": "2026-07-13T12:06:35+00:00",
"cve": "CVE-2026-62147",
"id": "CVE-2026-62147",
"initial_release_date": "2026-07-13T10:00:13.312000+00:00",
"product_status:known_affected": "2",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "tempo-operator: Tempo Operator: Query RBAC bypass",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-62147.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-62147\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-13T13:43:40.942746Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-13T13:43:46.378Z\"}}], \"cna\": {\"title\": \"Tempo-operator: tempo operator: query rbac bypass\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:openshift_distributed_tracing:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift distributed tracing 3\", \"packageName\": \"rhosdt/tempo-operator-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_distributed_tracing:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift distributed tracing 3\", \"packageName\": \"rhosdt/tempo-rhel9-operator\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-07-13T09:58:14.425Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-07-13T10:00:13.312Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2026-07-13T10:00:13.312Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-62147\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2499635\", \"name\": \"RHBZ#2499635\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"There is no mitigation or workaround other than upgrading to tempo-operator.v0.21.0-2 (or later); until upgraded, administrators requiring strict namespace isolation of trace data should not rely on query RBAC alone and should consider restricting access to the Tempo query API at the network/route level as a temporary compensating control.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Tempo Operator\u0027s gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants\u0027 namespaces.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-07-13T11:43:59.024Z\"}, \"x_redhatCweChain\": \"CWE-863: Incorrect Authorization\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-62147\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-13T13:43:50.023Z\", \"dateReserved\": \"2026-07-13T11:29:50.979Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2026-07-13T11:43:59.024Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…