The Old Switcheroo: Bypassing Namespace Policies in Temporal (CVE-2025-14986)
Jan 1, 2026·5 min read·2 visits
Executive Summary (TL;DR)
Temporal's frontend failed to cross-check the namespace of an internal 'embedded' request against the outer wrapper request. An attacker could wrap a `StartWorkflow` command claiming to be for 'Namespace B' (high limits) inside a request authorized for 'Namespace A' (low limits). The server validated against B but executed in A, effectively bypassing namespace-level constraints.
A logic flaw in Temporal's `ExecuteMultiOperation` API allowed authenticated users to execute workflows in one namespace while validating them against the policies of another. By embedding a request with a mismatched namespace ID, attackers could bypass rate limits and feature gates.
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:U/RE:L/U:GreenAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Temporal Server Temporal Technologies | >= 1.24.0, < 1.27.4 | 1.27.4 |
Temporal Server Temporal Technologies | >= 1.28.0, < 1.28.2 | 1.28.2 |
Temporal Server Temporal Technologies | >= 1.29.0, < 1.29.2 | 1.29.2 |
| Attribute | Detail |
|---|---|
| CWE | CWE-863 (Incorrect Authorization) |
| CVSS v4.0 | 1.3 (Low) |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N |
| Attack Vector | Network (gRPC) |
| Exploit Complexity | Low |
| Privileges Required | Low (Valid Namespace Access) |
MITRE ATT&CK Mapping
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.