CVE-2025-2786 is a vulnerability identified in the Tempo Operator, a Kubernetes operator used to deploy TempoStack or TempoMonolithic instances. When a user deploys these instances, the operator automatically creates a ServiceAccount along with associated ClusterRole and ClusterRoleBinding resources. The flaw lies in the fact that a user who already has full access to their namespace can extract the ServiceAccount token created by the operator. This token can then be used to submit TokenReview and SubjectAccessReview API requests to the Kubernetes API server. These requests allow the querying of permissions and roles assigned to other users within the cluster. While this vulnerability does not permit privilege escalation or impersonation of other users, it leaks sensitive information about user permissions and roles, which could be leveraged by attackers to map out the cluster's security posture and plan further attacks. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity, reflecting the limited scope and impact. Exploitation requires that the attacker already has full access to their namespace, meaning it is not a remote or unauthenticated attack vector. No user interaction is required once the attacker has the necessary access. There are no known public exploits or active exploitation reported at this time. The vulnerability was published on April 2, 2025, and assigned by Red Hat. No patches or fixes are currently linked, so users should monitor vendor advisories for updates.

For European organizations deploying Tempo Operator in Kubernetes environments, this vulnerability poses a risk of sensitive information disclosure regarding user permissions and roles within the cluster. Although it does not directly allow privilege escalation or compromise of data integrity or availability, the exposure of permission mappings can aid attackers in reconnaissance and targeted attacks, increasing the risk of subsequent privilege escalation or lateral movement. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and critical infrastructure, could face compliance risks if attackers leverage this information to compromise systems. The impact is especially relevant for multi-tenant or shared Kubernetes clusters where namespace boundaries are used to isolate workloads. Attackers with namespace-level access could gain insights into cluster-wide permission structures, undermining security assumptions. This could lead to increased risk of insider threats or compromised accounts escalating attacks. The medium severity rating reflects that the vulnerability is not trivial to exploit without existing access but still represents a meaningful information disclosure risk.

To mitigate CVE-2025-2786, organizations should first restrict namespace-level permissions to the minimum necessary, ensuring that only trusted users have full access to their namespaces. Implement strict Role-Based Access Control (RBAC) policies to limit who can deploy Tempo Operator instances and access ServiceAccount tokens. Monitor and audit the use of TokenReview and SubjectAccessReview API calls to detect unusual or unauthorized queries. Use Kubernetes features such as Pod Security Policies or OPA Gatekeeper policies to prevent unauthorized creation or extraction of ServiceAccount tokens. Consider isolating Tempo deployments in dedicated namespaces with limited user access. Regularly update the Tempo Operator and related components once patches or security updates addressing this vulnerability become available. Employ network segmentation and API server access controls to reduce the attack surface. Additionally, educate DevOps and security teams about the risks of token exposure and enforce secrets management best practices to avoid token leakage.