Temporal Server Cross-Namespace Command Vulnerability Authorization Bypass

A vulnerability exists in the Temporal server that allows workflow task commands to be directed towards a different namespace than what was authorized at the gRPC boundary. This issue arises when the 'system.enableCrossNamespaceCommands' feature is enabled, which is the default setting. The frontend validates the 'RespondWorkflowTaskCompleted' command based on the namespace of the incoming request, but the history service later executes the command using a namespace embedded in the command attributes, bypassing the original authorization. As a result, a worker permitted to operate in one namespace could potentially create, signal, or cancel workflows in another namespace. This vulnerability affects Temporal server versions through 1.29.1.

Impact

Exploitation of this vulnerability could lead to unauthorized cross-namespace workflow management, allowing actions to be performed in namespaces where the user or worker does not have explicit permission.

Remediation

Users can upgrade to Temporal server versions 1.27.4, 1.28.2, or 1.29.2 to address this vulnerability.