Primary

Context

Temporal Namespace Validation Bypass Vulnerability in ExecuteMultiOperationRequest

Vulnerability

Patched

A vulnerability exists in Temporal versions 1.24.0 prior to 1.29.1, allowing users to bypass namespace-specific validation and policies. When the 'frontend.enableExecuteMultiOperation' feature is enabled, the server incorrectly applies validation based on the namespace of an embedded 'StartWorkflowExecutionRequest' instead of the authorized namespace of the outer 'ExecuteMultiOperationRequest'. This flaw enables a user to manipulate the namespace field and circumvent limits or policies, although the workflow is ultimately created in the authorized namespace.

Impact

Exploitation of this vulnerability could lead to unauthorized bypassing of namespace limits and policies, potentially allowing for the execution of workflows that should be restricted under the current namespace's rules.

Remediation

Users can upgrade to Temporal versions 1.27.4, 1.28.2, or 1.29.2 to address this vulnerability.

Added: Dec 30, 2025, 9:22 PM

Updated: Dec 30, 2025, 9:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

4.9

remediation

7.7

relevance

1.8

threat

0.0

urgency

1.4

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

4.9

remediation

7.7

relevance

1.8

threat

0.0

urgency

1.4

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Temporal Namespace Validation Bypass Vulnerability in ExecuteMultiOperationRequest

Vulnerability

Impact

Remediation

Affected Products

Temporal

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating