CVE-2025-14986
Unknown Unknown - Not Provided
Namespace Validation Bypass in Temporal ExecuteMultiOperation Feature

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: Temporal Technologies Inc.

Description
When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14986
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
temporal temporal 1.29.1
temporal temporal 1.29.2
temporal temporal 1.25.0
temporal temporal 1.26.0
temporal temporal 1.24.0
temporal temporal 1.28.2
temporal temporal 1.27.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when the feature frontend.enableExecuteMultiOperation is enabled in Temporal server versions 1.24.0 through 1.29.1. The server incorrectly applies namespace-scoped validation and feature gates based on the Namespace field of an embedded StartWorkflowExecutionRequest rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits and policies by setting the embedded start request's namespace to a different namespace. Although the workflow is created in the authorized outer namespace, validation and gating are performed under the wrong namespace context, potentially allowing policy circumvention.

Impact Analysis

This vulnerability can allow an attacker or unauthorized user who has permission in one namespace to bypass the limits and policies of that namespace by manipulating the embedded start request's namespace. This could lead to unauthorized actions or workflows being initiated that circumvent intended namespace restrictions, potentially undermining security controls and operational policies within the Temporal server environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Temporal server to a fixed version that includes patches for CVE-2025-14986. The fixed versions are 1.27.4, 1.28.2, or 1.29.2. Applying these updates will address the security issue related to namespace validation bypass. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14986. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart