CVE-2025-14987
📋 TL;DR
This vulnerability allows workers authorized for one Temporal namespace to create, signal, or cancel workflows in other namespaces when cross-namespace commands are enabled. It affects Temporal servers through version 1.29.1 due to improper authorization checks in the history service.
💻 Affected Systems
- Temporal Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with worker access to one namespace could manipulate workflows across all namespaces, potentially disrupting business processes, exfiltrating sensitive workflow data, or causing denial of service.
Likely Case
Accidental or intentional cross-namespace workflow interference leading to data integrity issues, workflow failures, or unauthorized workflow state changes.
If Mitigated
Limited impact if proper namespace isolation controls are in place, but still represents a privilege escalation risk within the Temporal environment.
🎯 Exploit Status
Exploitation requires authorized worker access to at least one namespace and knowledge of target namespace names.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.27.4, 1.28.2, or 1.29.2
Vendor Advisory: https://github.com/temporalio/temporal/releases
Restart Required: Yes
Instructions:
1. Identify current Temporal server version. 2. Upgrade to patched version (1.27.4, 1.28.2, or 1.29.2). 3. Restart Temporal services. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable Cross-Namespace Commands
allSet system.enableCrossNamespaceCommands to false to prevent the vulnerable functionality.
system.enableCrossNamespaceCommands: false
🧯 If You Can't Patch
- Implement strict network segmentation between namespaces
- Enforce additional authorization layers at workflow task level
🔍 How to Verify
Check if Vulnerable:
Check Temporal server version and verify if system.enableCrossNamespaceCommands is enabled.Check Version:
temporal server versionVerify Fix Applied:
Confirm server version is 1.27.4, 1.28.2, or 1.29.2 and test cross-namespace command authorization.📡 Detection & Monitoring
Log Indicators:
- Unauthorized namespace access attempts in history service logs
- Cross-namespace workflow commands from unauthorized workers
Network Indicators:
- Unexpected workflow commands between namespaces
SIEM Query:
source="temporal" AND ("StartChildWorkflowExecution" OR "SignalExternalWorkflowExecution" OR "RequestCancelExternalWorkflowExecution") AND namespace_mismatch=true