1.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-14986

CVE-2025-14986: Temporal has a namespace policy bypass allowing requests to be authorized for incorrect contexts

When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-14986

CVE-2025-14986:

1.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
go.temporal.io/server	go	>= 1.24.0, < 1.27.4	1.27.4
go.temporal.io/server	go	>= 1.28.0, < 1.28.2	1.28.2
go.temporal.io/server	go	>= 1.29.0, < 1.29.2	1.29.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a namespace policy bypass in Temporal's ExecuteMultiOperation feature. An authenticated user with permissions for one namespace can craft a request that causes validation and feature gating to be performed against a different namespace.

The root cause is in the WorkflowHandler.convertToHistoryMultiOperationItem function. This function is responsible for processing individual operations (like starting or updating a workflow) within a batch ExecuteMultiOperationRequest. Before the patch, this function did not verify that the namespace field on the inner operations matched the namespace of the parent, authorized request.

The patch, found in commit a3734a3d330d941440724c973c69c207ff0e8a99, introduces a check in convertToHistoryMultiOperationItem to compare the inner operation's namespace with the parent request's namespace. If they don't match, it returns an errMultiOpNamespaceMismatch error.

During exploitation, a call to the WorkflowHandler.ExecuteMultiOperation API endpoint would trigger this vulnerability. A runtime profiler would show WorkflowHandler.ExecuteMultiOperation calling WorkflowHandler.convertToHistoryMultiOperationRequest, which in turn calls the vulnerable function WorkflowHandler.convertToHistoryMultiOperationItem. Therefore, ExecuteMultiOperation (the entrypoint) and convertToHistoryMultiOperationItem (the root cause) are key indicators of this vulnerability being triggered.

Vulnerable functions

WorkflowHandler.convertToHistoryMultiOperationItem

service/frontend/workflow_handler.go

This function processes individual operations within a `ExecuteMultiOperationRequest`. The vulnerability lies in the fact that, before the patch, this function did not validate that the namespace specified in an inner `StartWorkflow` or `UpdateWorkflow` operation matched the namespace of the parent `ExecuteMultiOperationRequest`. This allowed an attacker to bypass namespace-specific policies by providing a different namespace in the inner operation. The patch adds a check to ensure the namespaces match.

WorkflowHandler.ExecuteMultiOperation

service/frontend/workflow_handler.go

This is the main API endpoint for the `ExecuteMultiOperation` feature. An attacker would call this function with a specially crafted request to trigger the vulnerability. While the logical flaw is not directly in this function, it is the entry point for the vulnerable execution path and would appear at the top of a stack trace during exploitation.

WorkflowHandler.convertToHistoryMultiOperationRequest

service/frontend/workflow_handler.go

This function orchestrates the conversion of operations for the `ExecuteMultiOperation` request. It was modified to pass the parent request's namespace down to `convertToHistoryMultiOperationItem` so that the validation could be performed. This function is part of the call chain that leads to the vulnerable logic.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

1.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-14986: Temporal has a namespace policy bypass allowing requests to be authorized for incorrect contexts

CVE-2025-14986:

1.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-14986: Temporal has a namespace policy bypass allowing requests to be authorized for incorrect contexts

1.3

1.3

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI