Temporal Paradox: The Cross-Namespace Authorization Bypass
Jan 2, 2026·5 min read·1 visit
Executive Summary (TL;DR)
Temporal trusted the envelope but ignored the letter inside. A worker authorized for 'Namespace A' could embed commands targeting 'Namespace B' within a standard task completion response. Because the server only validated the worker's access to 'Namespace A', the cross-namespace commands were executed without a secondary permission check. Fixed by adding 'Deep Inspection' logic to the authorization layer.
A logic flaw in Temporal's gRPC authorization interceptor allows authenticated workers in one namespace to execute unauthorized commands (Signaling, Canceling, etc.) against workflows in a completely different namespace.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:LAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Temporal Server Temporal | <= 1.27.3 | 1.27.4 |
Temporal Server Temporal | 1.28.0 - 1.28.1 | 1.28.2 |
Temporal Server Temporal | 1.29.0 - 1.29.1 | 1.29.2 |
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2025-14987 |
| CVSS 4.0 | 5.3 (Medium) |
| CWE | CWE-863 (Incorrect Authorization) |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L |
| Impact | Cross-Namespace Command Execution |
| Patch Commit | b292a32bacdfa6472affd90f0a940408d5839cfa |
MITRE ATT&CK Mapping
The product provides an authorization method that does not properly verify that the user has the necessary permissions to access the requested resource.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.