Masked namespace vulnerability in Temporal
3 months ago
- #vulnerability
- #security
- #temporal
- Developers favor bundled APIs for atomicity and efficiency, but security engineers caution against them due to complexity and potential vulnerabilities.
- A vulnerability (CVE-2025-14986) was discovered in Temporal's ExecuteMultiOperation endpoint, involving an identity-binding bug where inner operations could specify a different namespace than the outer request.
- Temporal is a critical infrastructure for companies like Netflix and Stripe, ensuring reliable code execution even during server failures.
- The bug allowed attackers to bypass authorization checks by manipulating namespace fields in bundled operations, leading to potential cross-tenant isolation breaches and policy overrides.
- Exploits included accessing private database schemas of other tenants and overriding strict organizational policies with permissive personal account settings.
- The fix in Temporal v1.27 enforces that inner operation namespaces must match the outer authorized namespace, closing the vulnerability.