{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-14986","assignerOrgId":"61241ed8-fa44-4f23-92db-b8c443751968","state":"PUBLISHED","assignerShortName":"Temporal","dateReserved":"2025-12-19T19:18:54.548Z","datePublished":"2025-12-30T20:17:47.201Z","dateUpdated":"2026-01-02T15:31:02.796Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://github.com/temporalio/temporal","defaultStatus":"unaffected","packageName":"temporal","product":"Temporal","repo":"https://github.com/temporalio/temporal","vendor":"Temporal","versions":[{"lessThanOrEqual":"1.29.1","status":"affected","version":"1.24.0","versionType":"semver"},{"lessThanOrEqual":"1.28.1","status":"affected","version":"1.24.0","versionType":"semver"},{"lessThanOrEqual":"1.27.3","status":"affected","version":"1.24.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"When <code>frontend.enableExecuteMultiOperation</code> is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.<br>This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."}],"value":"When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.\nThis issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"NEGLIGIBLE","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":1.3,"baseSeverity":"LOW","exploitMaturity":"UNREPORTED","privilegesRequired":"LOW","providerUrgency":"GREEN","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:U/RE:L/U:Green","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"LOW"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"61241ed8-fa44-4f23-92db-b8c443751968","shortName":"Temporal","dateUpdated":"2025-12-30T20:17:47.201Z"},"references":[{"url":"https://github.com/temporalio/temporal/releases/tag/v1.27.4"},{"url":"https://github.com/temporalio/temporal/releases/tag/v1.28.2"},{"url":"https://github.com/temporalio/temporal/releases/tag/v1.29.2"}],"source":{"discovery":"EXTERNAL"},"title":"ExecuteMultiOperation Namespace Policy Bypass","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Set&nbsp;<code><span style=\"background-color: rgba(232, 232, 232, 0.04);\">frontend.enableExecuteMultiOperation</span></code><span style=\"background-color: rgb(255, 255, 255);\"> to false</span><br>"}],"value":"Set frontend.enableExecuteMultiOperation to false"}],"x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-02T15:30:54.551721Z","id":"CVE-2025-14986","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-02T15:31:02.796Z"}}]}}