CVE-2025-2786 is a vulnerability identified in the Tempo Operator, a Kubernetes operator used to deploy TempoStack or TempoMonolithic instances. When a user deploys these instances, the operator automatically creates a ServiceAccount, ClusterRole, and ClusterRoleBinding. The flaw lies in the fact that a user who already has full access to their own Kubernetes namespace can extract the ServiceAccount token associated with these resources. With this token, the user can submit TokenReview and SubjectAccessReview API requests to the Kubernetes API server. These requests allow the user to query and reveal information about the permissions and roles assigned to other users within the cluster. Although this vulnerability does not permit privilege escalation or impersonation of other users, the exposure of permission data can aid attackers in reconnaissance and planning further attacks. The vulnerability is classified as medium severity with a CVSS 3.1 score of 4.3, primarily due to its impact on confidentiality and the fact that it requires the attacker to have namespace-level privileges already. There is no indication of known exploits in the wild, and no patches or vendor advisories were provided at the time of publication. The vulnerability affects all versions of the Tempo Operator as indicated by the affectedVersions field containing "0", which likely denotes initial or unspecified versions. The flaw is relevant in Kubernetes environments where Tempo Operator is used to manage observability stacks, and it leverages Kubernetes RBAC mechanisms to expose sensitive authorization data.

For European organizations, this vulnerability poses a risk of sensitive information disclosure within Kubernetes clusters running Tempo Operator. Attackers with namespace-level access can gain insight into the permissions of other users, potentially revealing privileged roles or service accounts that could be targeted in subsequent attacks. While it does not directly allow privilege escalation, the information leakage can facilitate lateral movement or privilege abuse by revealing the cluster's security posture. Organizations relying on Tempo Operator for observability in critical infrastructure or regulated environments (such as finance, healthcare, or government) may face increased risk of targeted attacks or compliance issues related to unauthorized data exposure. The vulnerability could also undermine trust in multi-tenant Kubernetes clusters where namespace isolation is expected. Given the growing adoption of Kubernetes and observability tools across Europe, this vulnerability could impact a broad range of sectors, especially those with complex cloud-native deployments.

To mitigate CVE-2025-2786, organizations should first ensure strict access control policies are enforced at the namespace level to limit who can deploy Tempo Operator instances. Restricting namespace-level full access reduces the pool of potential attackers who can exploit this flaw. Additionally, review and minimize the permissions granted to the ServiceAccount, ClusterRole, and ClusterRoleBinding created by the operator to follow the principle of least privilege. If possible, configure the operator or deployment manifests to avoid creating overly permissive RBAC bindings. Monitoring and auditing Kubernetes API server logs for unusual TokenReview and SubjectAccessReview requests can help detect exploitation attempts. Organizations should also track vendor advisories for patches or updates to the Tempo Operator that address this vulnerability and apply them promptly. In the interim, consider isolating observability workloads in dedicated clusters or namespaces with tightly controlled access. Finally, educate DevOps and security teams about the risks of token exposure and the importance of securing Kubernetes RBAC configurations.