Refine your search
4 vulnerabilities found for Temporal by Temporal
CVE-2025-14987 (GCVE-0-2025-14987)
Vulnerability from nvd
Published
2025-12-30 20:16
Modified
2025-12-30 20:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace.
This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://github.com/temporalio/temporal",
"defaultStatus": "unaffected",
"packageName": "temporal",
"product": "Temporal",
"repo": "https://github.com/temporalio/temporal",
"vendor": "Temporal",
"versions": [
{
"lessThanOrEqual": "1.29.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.28.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.27.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When \u003ccode\u003esystem.enableCrossNamespaceCommands\u003c/code\u003e is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. \u003ccode\u003eStartChildWorkflowExecution\u003c/code\u003e, \u003ccode\u003eSignalExternalWorkflowExecution\u003c/code\u003e, \u003ccode\u003eRequestCancelExternalWorkflowExecution\u003c/code\u003e) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes \u003ccode\u003eRespondWorkflowTaskCompleted\u003c/code\u003e based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace.\u003cbr\u003eThis issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."
}
],
"value": "When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace.\nThis issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T20:16:20.154Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.27.4"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.28.2"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.29.2"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Cross Namespace Commands Authorization Bypass",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Set \u003ccode\u003esystem.enableCrossNamespaceCommands\u003c/code\u003e to false, unless cross-namespace workflow-task commands are explicitly required."
}
],
"value": "Set system.enableCrossNamespaceCommands to false, unless cross-namespace workflow-task commands are explicitly required."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2025-14987",
"datePublished": "2025-12-30T20:16:20.154Z",
"dateReserved": "2025-12-19T19:19:01.833Z",
"dateUpdated": "2025-12-30T20:16:20.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14986 (GCVE-0-2025-14986)
Vulnerability from nvd
Published
2025-12-30 20:17
Modified
2025-12-30 20:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.
This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://github.com/temporalio/temporal",
"defaultStatus": "unaffected",
"packageName": "temporal",
"product": "Temporal",
"repo": "https://github.com/temporalio/temporal",
"vendor": "Temporal",
"versions": [
{
"lessThanOrEqual": "1.29.1",
"status": "affected",
"version": "1.24.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.28.1",
"status": "affected",
"version": "1.24.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.27.3",
"status": "affected",
"version": "1.24.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When \u003ccode\u003efrontend.enableExecuteMultiOperation\u003c/code\u003e is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace\u0027s limits/policies by setting the embedded start request\u0027s namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.\u003cbr\u003eThis issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."
}
],
"value": "When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace\u0027s limits/policies by setting the embedded start request\u0027s namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.\nThis issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:U/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T20:17:47.201Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.27.4"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.28.2"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.29.2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ExecuteMultiOperation Namespace Policy Bypass",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Set\u0026nbsp;\u003ccode\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003efrontend.enableExecuteMultiOperation\u003c/span\u003e\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e to false\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Set\u00a0frontend.enableExecuteMultiOperation to false"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2025-14986",
"datePublished": "2025-12-30T20:17:47.201Z",
"dateReserved": "2025-12-19T19:18:54.548Z",
"dateUpdated": "2025-12-30T20:17:47.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14986 (GCVE-0-2025-14986)
Vulnerability from cvelistv5
Published
2025-12-30 20:17
Modified
2025-12-30 20:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.
This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://github.com/temporalio/temporal",
"defaultStatus": "unaffected",
"packageName": "temporal",
"product": "Temporal",
"repo": "https://github.com/temporalio/temporal",
"vendor": "Temporal",
"versions": [
{
"lessThanOrEqual": "1.29.1",
"status": "affected",
"version": "1.24.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.28.1",
"status": "affected",
"version": "1.24.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.27.3",
"status": "affected",
"version": "1.24.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When \u003ccode\u003efrontend.enableExecuteMultiOperation\u003c/code\u003e is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace\u0027s limits/policies by setting the embedded start request\u0027s namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.\u003cbr\u003eThis issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."
}
],
"value": "When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace\u0027s limits/policies by setting the embedded start request\u0027s namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.\nThis issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:U/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T20:17:47.201Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.27.4"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.28.2"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.29.2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ExecuteMultiOperation Namespace Policy Bypass",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Set\u0026nbsp;\u003ccode\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003efrontend.enableExecuteMultiOperation\u003c/span\u003e\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e to false\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Set\u00a0frontend.enableExecuteMultiOperation to false"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2025-14986",
"datePublished": "2025-12-30T20:17:47.201Z",
"dateReserved": "2025-12-19T19:18:54.548Z",
"dateUpdated": "2025-12-30T20:17:47.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14987 (GCVE-0-2025-14987)
Vulnerability from cvelistv5
Published
2025-12-30 20:16
Modified
2025-12-30 20:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace.
This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://github.com/temporalio/temporal",
"defaultStatus": "unaffected",
"packageName": "temporal",
"product": "Temporal",
"repo": "https://github.com/temporalio/temporal",
"vendor": "Temporal",
"versions": [
{
"lessThanOrEqual": "1.29.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.28.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.27.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When \u003ccode\u003esystem.enableCrossNamespaceCommands\u003c/code\u003e is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. \u003ccode\u003eStartChildWorkflowExecution\u003c/code\u003e, \u003ccode\u003eSignalExternalWorkflowExecution\u003c/code\u003e, \u003ccode\u003eRequestCancelExternalWorkflowExecution\u003c/code\u003e) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes \u003ccode\u003eRespondWorkflowTaskCompleted\u003c/code\u003e based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace.\u003cbr\u003eThis issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."
}
],
"value": "When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace.\nThis issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T20:16:20.154Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.27.4"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.28.2"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.29.2"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Cross Namespace Commands Authorization Bypass",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Set \u003ccode\u003esystem.enableCrossNamespaceCommands\u003c/code\u003e to false, unless cross-namespace workflow-task commands are explicitly required."
}
],
"value": "Set system.enableCrossNamespaceCommands to false, unless cross-namespace workflow-task commands are explicitly required."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2025-14987",
"datePublished": "2025-12-30T20:16:20.154Z",
"dateReserved": "2025-12-19T19:19:01.833Z",
"dateUpdated": "2025-12-30T20:16:20.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}