The Red Hat OpenShift distributed tracing platform (Tempo) 3.5.1 release incorporates security fixes for vulnerabilities such as CVE-2025-2786 and CVE-2025-2842. The update enforces stricter permission requirements for managing multi-tenancy configurations, specifically requiring TokenReview and SubjectAccessReview permissions. A known issue requires careful namespace isolation and permission auditing for the gateway component's ServiceAccount when tenancy mode is enabled. The release is based on Grafana Tempo 2.7.1 and includes no deprecations or technology preview features. No direct patch links are provided, but upgrade instructions are available in Red Hat's documentation.

The vulnerabilities addressed are rated high severity and relate to improper authorization and information exposure issues (CWE-200, CWE-405). Without proper permissions, users could potentially create or modify multi-tenant tracing configurations improperly. The known issue with gateway ServiceAccount permissions could lead to authorization challenges if not mitigated. There are no known exploits in the wild at this time.

Red Hat provides an updated release (Tempo 3.5.1) that includes fixes for the referenced CVEs. Users should upgrade to this version following Red Hat's official upgrade procedures documented in their OpenShift operator upgrade guides. For the known issue with tenancy mode, deploy Tempo instances in dedicated namespaces and audit user permissions carefully to restrict access to Secrets. The update requires users to have TokenReview and SubjectAccessReview permissions to manage multi-tenant resources, so ensure these permissions are granted appropriately. Patch status is not explicitly stated as a separate patch but is integrated into the 3.5.1 release; users should consult the vendor advisory and upgrade accordingly.