PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62147 Red Hat CVE debrief

The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces. This vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. Users of Tempo Operator should review their configurations to ensure proper namespace-scoped redaction and verify query RBAC is enabled.

Vendor
Red Hat
Product
Red Hat OpenShift distributed tracing 3
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of Tempo Operator, particularly those with security and vulnerability management responsibilities, should review their configurations and ensure that namespace-scoped redaction is properly applied. Security teams should verify query RBAC is enabled and monitor for suspicious activity related to query API responses.

Technical summary

The Tempo Operator's gateway component did not consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled. This vulnerability allowed an authenticated user to read span attributes belonging to other tenants' namespaces. The CVSS score for this vulnerability is 6.5, and the severity is MEDIUM. Affected users should review configurations and ensure proper namespace-scoped redaction.

Defensive priority

Medium priority should be given to patching this vulnerability, as it could allow an authenticated user to access sensitive information.

Recommended defensive actions

  • Review and update Tempo Operator configurations to ensure proper namespace-scoped redaction.
  • Verify that query RBAC is properly enabled and configured.
  • Monitor for any suspicious activity related to query API responses.
  • Perform an inventory of affected Tempo Operator deployments.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions and retest remediated assets.

Evidence notes

Evidence for this vulnerability comes from the NVD and CVE records. Limited details are available about the specific affected versions and configurations of Tempo Operator. The vulnerability allows an authenticated user to read span attributes belonging to other tenants' namespaces when query RBAC is enabled. Defenders should verify namespace-scoped redaction configurations and query API response paths for potential exposure.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T12:16:34.927Z and has not been modified since then.