The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.
There is no mitigation or workaround other than upgrading to tempo-operator.v0.21.0-2 (or later); until upgraded, administrators requiring strict namespace isolation of trace data should not rely on query RBAC alone and should consider restricting access to the Tempo query API at the network/route level as a temporary compensating control.