GHSA-p2gr-hm8g-q772

Source

https://github.com/advisories/GHSA-p2gr-hm8g-q772

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-p2gr-hm8g-q772/GHSA-p2gr-hm8g-q772.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p2gr-hm8g-q772

Aliases

Related

CGA-4wxh-qc3v-rpfc

Published

2025-12-30T21:30:33Z

Modified

2026-02-04T02:54:00.634347Z

Severity

1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Temporal has a namespace policy bypass allowing requests to be authorized for incorrect contexts

Details

When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.

Database specific

{
    "github_reviewed_at": "2025-12-31T22:08:24Z",
    "github_reviewed": true,
    "nvd_published_at": "2025-12-30T21:15:42Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "LOW"
}

References

Affected packages

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

1.24.0

Fixed

1.27.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-p2gr-hm8g-q772/GHSA-p2gr-hm8g-q772.json"

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

1.28.0

Fixed

1.28.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-p2gr-hm8g-q772/GHSA-p2gr-hm8g-q772.json"

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

1.29.0

Fixed

1.29.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-p2gr-hm8g-q772/GHSA-p2gr-hm8g-q772.json"