80 matches found
PT-2026-29583
Name of the Vulnerable Software and Affected Versions Temporal Server versions 1.29.0 and later Description A user with a writer role in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster. Exploitation requires the...
Temporal Server 安全漏洞
Temporal Server is a microservices orchestration platform developed by Temporal Corporation. There is a security vulnerability in Temporal Server. This vulnerability stems from the fact that users with the “Writer” role in the namespaces controlled by attackers can send signals, delete, and reset...
GHSA-9H8M-3FM2-QJRQ vulnerabilities
Vulnerabilities for packages: k9s-fips, jobset-fips, blob-csi-fips, tfsec, kubevela-fips, trivy-operator-fips, bank-vaults, rancher-system-agent, flyte, cloudbeat, vault-secrets-webhook, cass-operator, migrate, spire-server-fips, onepassword-operator, k8s-agents-operator-fips, ops-agent,...
GHSA-FW7P-63QQ-7HPR vulnerabilities
Vulnerabilities for packages: percona-xtradb-cluster-operator, apko, kyverno-policy-reporter-fips, dgraph, keda, argo-workflows, crossplane-provider-sql, rekor-fips, sftpgo-plugin-eventstore, ory-kratos, elastic-agent-fips, grafana-alloy, step-ca, spire-server-fips, agentbeat-fips, tailscale,...
SUSE CVE-2025-14987
When system.enableCrossNamespaceCommands is enabled on by default, the Temporal server permits certain workflow task commands e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution to target a different namespace than the namespace authorized at...
GO-2026-4273 Temporal has an Incorrect Authorization vulnerability in go.temporal.io/server
Temporal has an Incorrect Authorization vulnerability in go.temporal.io/server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, plea...
CVE-2024-2689
Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task containing the invalid...
CVE-2025-14987
When system.enableCrossNamespaceCommands is enabled on by default, the Temporal server permits certain workflow task commands e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution to target a different namespace than the namespace authorized at...
EUVD-2025-205855
When system.enableCrossNamespaceCommands is enabled on by default, the Temporal server permits certain workflow task commands e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution to target a different namespace than the namespace authorized at...
GHSA-HMHP-GH8M-C8XP Temporal has an Incorrect Authorization vulnerability
When system.enableCrossNamespaceCommands is enabled on by default, the Temporal server permits certain workflow task commands e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution to target a different namespace than the namespace authorized at...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the system.enableCrossNamespaceCommands when it is enabled on by default. An attacker can perform unauthorized actions in a different namespace by submitting workflow task commands that target namespaces othe...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization when the frontend.enableExecuteMultiOperation is enabled. An attacker can circumvent namespace-specific validation and feature gates by setting the embedded StartWorkflowExecutionRequest's namespace field to a...
CVE-2025-14987 Cross Namespace Commands Authorization Bypass
When system.enableCrossNamespaceCommands is enabled on by default, the Temporal server permits certain workflow task commands e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution to target a different namespace than the namespace authorized at...
CVE-2025-14987 Cross Namespace Commands Authorization Bypass
When system.enableCrossNamespaceCommands is enabled on by default, the Temporal server permits certain workflow task commands e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution to target a different namespace than the namespace authorized at...
CVE-2025-14987
CVE-2025-14987 : Temporal server has an Incorrect Authorization flaw when system.enableCrossNamespaceCommands is enabled (default on). The frontend validates RespondWorkflowTaskCompleted for the outer namespace, but the history service executes commands using the namespace embedded in command att...
CVE-2025-14987 Cross Namespace Commands Authorization Bypass
When system.enableCrossNamespaceCommands is enabled on by default, the Temporal server permits certain workflow task commands e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution to target a different namespace than the namespace authorized at...
PT-2025-54225
Name of the Vulnerable Software and Affected Versions Temporal versions through 1.29.1 Description When the system.enableCrossNamespaceCommands setting is enabled, the Temporal server allows specific workflow task commands—including StartChildWorkflowExecution, SignalExternalWorkflowExecution, an...
Denial Of Service (DoS)
go.temporal.io/server is vulnerable to Denial of service DoS. The vulnerability is due to insufficiently specific bounds checking on the authorization header, which allows an attacker to trigger excessive memory allocation leading to a denial of service...
EUVD-2024-1323
Malicious code in bioql PyPI...
EUVD-2025-29200
Malicious code in bioql PyPI...