GHSA-hmhp-gh8m-c8xp

Source

https://github.com/advisories/GHSA-hmhp-gh8m-c8xp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hmhp-gh8m-c8xp/GHSA-hmhp-gh8m-c8xp.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-hmhp-gh8m-c8xp

Aliases

CVE-2025-14987

Published

2025-12-30T21:30:33Z

Modified

2026-01-02T16:11:15.525333Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L CVSS Calculator

Summary

Temporal has an Incorrect Authorization vulnerability

Details

When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace. This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2025-12-30T21:15:43Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2026-01-02T15:46:14Z"
}

References

Affected packages

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.27.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hmhp-gh8m-c8xp/GHSA-hmhp-gh8m-c8xp.json"

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

1.28.0

Fixed

1.28.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hmhp-gh8m-c8xp/GHSA-hmhp-gh8m-c8xp.json"

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

1.29.0

Fixed

1.29.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hmhp-gh8m-c8xp/GHSA-hmhp-gh8m-c8xp.json"

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

1.29.0-0

Fixed

1.29.0-135.0.0.20251218190115-b292a32bacdf

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hmhp-gh8m-c8xp/GHSA-hmhp-gh8m-c8xp.json"