CVE-2026-5199
Severity CVSS v4.0:
LOW
Type:
Unavailable / Other
Publication date:
01/04/2026
Last modified:
01/04/2026
Description
A writer role user in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster. Exploitation requires the attacker to know or guess specific victim workflow ID(s) and, for signal operations, signal names. This was due to a bug introduced in Temporal Server v1.29.0 which inadvertently allowed an attacker to control the namespace name value instead of using the server&#39;s own trusted name value within the batch activity code. The batch activity validated the namespace ID but did not cross-check the namespace name against the worker&#39;s bound namespace, allowing the per-namespace worker&#39;s privileged credentials to operate on an arbitrary namespace. Exploitation requires a server configuration where internal components have cross-namespace authorization, such as deployment of the internal-frontend service or equivalent TLS-based authorization for internal identities.<br />
<br />
<br />
<br />
<br />
This vulnerability also impacted Temporal Cloud when the attacker and victim namespaces were on the same cell, with the same preconditions as self-hosted clusters.