CVE-2025-14986

Summary

When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.

Affected Software

VendorProductVersion RangeStatus
TemporalTemporal1.24.0 <= 1.29.1affected
TemporalTemporal1.24.0 <= 1.28.1affected
TemporalTemporal1.24.0 <= 1.27.3affected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

Workarounds

Set frontend.enableExecuteMultiOperation to false

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References