DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-14987: Temporal Paradox: The Cross-Namespace Authorization Bypass

#security #cve #cybersecurity

Temporal Paradox: The Cross-Namespace Authorization Bypass

Vulnerability ID: CVE-2025-14987
CVSS Score: 5.3
Published: 2025-12-30

A logic flaw in Temporal's gRPC authorization interceptor allows authenticated workers in one namespace to execute unauthorized commands (Signaling, Canceling, etc.) against workflows in a completely different namespace.

TL;DR

Temporal trusted the envelope but ignored the letter inside. A worker authorized for 'Namespace A' could embed commands targeting 'Namespace B' within a standard task completion response. Because the server only validated the worker's access to 'Namespace A', the cross-namespace commands were executed without a secondary permission check. Fixed by adding 'Deep Inspection' logic to the authorization layer.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2025-14987
  • CVSS 4.0: 5.3 (Medium)
  • CWE: CWE-863 (Incorrect Authorization)
  • Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
  • Impact: Cross-Namespace Command Execution
  • Patch Commit: b292a32bacdfa6472affd90f0a940408d5839cfa

Affected Systems

  • Temporal Server
  • Temporal Server: <= 1.27.3 (Fixed in: 1.27.4)
  • Temporal Server: 1.28.0 - 1.28.1 (Fixed in: 1.28.2)
  • Temporal Server: 1.29.0 - 1.29.1 (Fixed in: 1.29.2)

Code Analysis

Commit: b292a32

Fix authorization for cross-namespace commands

func (a *Interceptor) authorizeTargetNamespaces(...) ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Unit tests demonstrating the authorized vs unauthorized cross-namespace behavior

Mitigation Strategies

  • Upgrade to patched versions immediately.
  • Disable cross-namespace commands via dynamic configuration if patching is delayed.
  • Audit existing workflows for unexpected cross-namespace activity.

Remediation Steps:

  1. Identify current Temporal Server version.
  2. If version is <= 1.27.3, 1.28.0-1.28.1, or 1.29.0-1.29.1, schedule maintenance.
  3. Deploy version 1.27.4, 1.28.2, or 1.29.2.
  4. Verify 'system.enableCrossNamespaceCommands' setting aligns with security policy.

References

Read the full report for CVE-2025-14987 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)