bugfix: set default max_result_limit for search to 256*1024

[zhxiaogg]

What this PR does:

Set the default value of query_frontend.search.max_result_limit to 262144 (256*1024) to cap the maximum number of results returned by search requests. Previously the default was 0 (unlimited), which could allow unbounded result sets.

Which issue(s) this PR fixes:
Fixes VUL-2026-0021

Checklist

• Tests updated
• Documentation added
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

Fixes: CVE-2026-21728

[mdisibio]

Adding the PR number to the link text

Suggested change

	* [CHANGE] Set default `max_result_limit` for search to 256*1024 [#](https://github.com/grafana/tempo/pull/6525) (@zhxiaogg)
	* [CHANGE] Set default `max_result_limit` for search to 256*1024 [#6525](https://github.com/grafana/tempo/pull/6525) (@zhxiaogg)

[tempo-ci-app]

The backport to release-v2.10 failed:

error cherry-picking: error running git cherry-pick: error running command 'git cherry-pick -x 650eb1985a0776789c8564122990f588a742356f'
error: exit status 1
stdout: Auto-merging CHANGELOG.md
CONFLICT (content): Merge conflict in CHANGELOG.md
Auto-merging docs/sources/tempo/configuration/manifest.md
Auto-merging modules/frontend/config.go

stderr: error: could not apply 650eb1985... bugfix: set default max_result_limit for search to 256*1024 (#6525)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

To backport manually, run these commands in your terminal:

git fetch
git switch --create backport-6525-to-release-v2.10 origin/release-v2.10
git cherry-pick -x 650eb1985a0776789c8564122990f588a742356f

Resolve the conflicts, then add the changes and run git cherry-pick --continue:

git add . && git cherry-pick --continue

If you have the GitHub CLI installed:

git push --set-upstream origin backport-6525-to-release-v2.10
PR_BODY=$(gh pr view 6525 --json body --template 'Backport 650eb1985a0776789c8564122990f588a742356f from #6525{{ "\n\n---\n\n" }}{{ index . "body" }}')
echo "${PR_BODY}" | gh pr create --title '[release-v2.10] bugfix: set default max_result_limit for search to 256*1024' --body-file - --label 'backport' --label '' --base release-v2.10 --web

Or, if you don't have the GitHub CLI installed (we recommend you install it!):

git push --set-upstream origin backport-6525-to-release-v2.10

And open a pull request where the base branch is release-v2.10 and the compare/head branch is backport-6525-to-release-v2.10