CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-14986

The Old Switcheroo: Bypassing Namespace Policies in Temporal (CVE-2025-14986)

Alon Barad
Alon Barad
Software Engineer

Jan 1, 2026·5 min read·20 visits

Executive Summary (TL;DR)

Temporal's frontend failed to cross-check the namespace of an internal 'embedded' request against the outer wrapper request. An attacker could wrap a `StartWorkflow` command claiming to be for 'Namespace B' (high limits) inside a request authorized for 'Namespace A' (low limits). The server validated against B but executed in A, effectively bypassing namespace-level constraints.

A logic flaw in Temporal's `ExecuteMultiOperation` API allowed authenticated users to execute workflows in one namespace while validating them against the policies of another. By embedding a request with a mismatched namespace ID, attackers could bypass rate limits and feature gates.

Official Patches

TemporalPR #8839: Validate MultiOperation namespace match
TemporalTemporal v1.29.2 Release Notes

Technical Appendix

CVSS Score
1.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:U/RE:L/U:Green
EPSS Probability
0.05%
Top 88% most exploited

Affected Systems

Temporal Server 1.24.0Temporal Server 1.25.xTemporal Server 1.26.xTemporal Server 1.27.0 - 1.27.3Temporal Server 1.28.0 - 1.28.1Temporal Server 1.29.0 - 1.29.1

Affected Versions Detail

Product
Affected Versions
Fixed Version
Temporal Server
Temporal Technologies
>= 1.24.0, < 1.27.41.27.4
Temporal Server
Temporal Technologies
>= 1.28.0, < 1.28.21.28.2
Temporal Server
Temporal Technologies
>= 1.29.0, < 1.29.21.29.2
AttributeDetail
CWECWE-863 (Incorrect Authorization)
CVSS v4.01.3 (Low)
VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N
Attack VectorNetwork (gRPC)
Exploit ComplexityLow
Privileges RequiredLow (Valid Namespace Access)

MITRE ATT&CK Mapping

T1078Valid Accounts
Defense Evasion
T1562Impair Defenses
Defense Evasion
CWE-863
Incorrect Authorization

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Known Exploits & Detection

Manual AnalysisExploitation requires constructing a gRPC request with mismatched namespaces using a custom client.

Vulnerability Timeline

Vulnerability Disclosed/Patched in PR #8839
2025-02-01
Patch Released in v1.29.2
2025-02-05

References & Sources

  • [1]Temporal Security Advisories
  • [2]NVD - CVE-2025-14986

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•GHSA-985R-Q3QP-299H
8.8

GHSA-985R-Q3QP-299H: Incomplete Fix in phpMyFAQ Admin API Enables Privilege Escalation and Account Takeover

An incomplete mitigation of a predecessor vulnerability (GHSA-xvp4-phqj-cjr3 / CVE-2026-35671) in phpMyFAQ leaves sister administrative API endpoints vulnerable to Insecure Direct Object Reference (IDOR). Specifically, the `editUser` and `updateUserRights` endpoints lack object-level access controls, permitting authenticated low-privilege administrators to escalate their privileges or hijack SuperAdmin accounts.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 3 hours ago•CVE-2026-48788
8.2

CVE-2026-48788: Cross-Site Scripting and Content-Type Spoofing in Remark42 Image Proxy

A critical-severity Cross-Site Scripting (XSS) and Content-Type spoofing vulnerability in Remark42 (versions 1.6.0 through 1.15.0) allows remote attackers to execute arbitrary client-side script code via a crafted image proxy request.

Alon Barad
Alon Barad
5 views•6 min read
•about 6 hours ago•CVE-2026-53462
5.9

CVE-2026-53462: Heap Use-After-Free Vulnerability in ImageMagick Vector Drawing Subsystem

CVE-2026-53462 is a heap Use-After-Free (UAF) vulnerability in ImageMagick's vector drawing subsystem, specifically within the coordinate allocation mechanism in CheckPrimitiveExtent. By parsing a crafted vector image (such as SVG or MVG) with extremely complex primitives, an attacker can trigger a memory reallocation failure. If the application fails to handle this allocation failure cleanly, it leaves a dangling pointer that can subsequently be accessed or freed again, causing memory corruption or an application crash.

Alon Barad
Alon Barad
6 views•7 min read
•about 9 hours ago•CVE-2026-39832
9.1

CVE-2026-39832: Silent Drop of Destination Constraints in golang.org/x/crypto SSH Agent Client

A critical security flaw was identified in the Go package golang.org/x/crypto/ssh/agent. The vulnerability arises during the serialization of key constraints when adding SSH identities to a remote agent or an in-memory keyring. Specifically, custom constraint extensions, such as destination restrictions like restrict-destination-v00@openssh.com, were silently omitted from serialization in client requests. This omission allowed keys to be loaded into the remote agent with zero destination-based restrictions, enabling unauthorized users with access to the agent socket on intermediate hosts to authenticate to any downstream host without policy enforcement. The issue was resolved in version v0.52.0 of the golang.org/x/crypto library.

Amit Schendel
Amit Schendel
8 views•7 min read
•about 9 hours ago•CVE-2026-46597
7.5

CVE-2026-46597: Remote Denial of Service in golang.org/x/crypto/ssh via AES-GCM Padding Integer Overflow

A high-severity Denial of Service (DoS) vulnerability (CVE-2026-46597 / GO-2026-5013) exists in the golang.org/x/crypto/ssh module before version v0.52.0. The flaw stems from an incorrect operator order during a type conversion of the GCM packet padding size, allowing a remote, unauthenticated attacker to trigger an out-of-bounds slice runtime panic and crash the Go process.

Alon Barad
Alon Barad
5 views•7 min read
•about 13 hours ago•CVE-2026-39828
6.3

CVE-2026-39828: Go SSH Server PartialSuccessError Permissions Discard Bypass

A critical security bypass vulnerability was discovered in the Go SSH server implementation within the golang.org/x/crypto/ssh package. When an SSH server authentication callback returned a PartialSuccessError alongside non-nil Permissions, the server silently discarded these permissions before the subsequent authentication step. Consequently, once the user completed the second-factor authentication, the session-level restrictions were dropped, granting the client unauthorized capabilities.

Amit Schendel
Amit Schendel
5 views•7 min read