Skip to content
Verified reproduction

CVE-2026-5199: Temporal Server: batcher worker cross-namespace authorization bypass (BatchActivityWithProtobuf)

CVE-2026-5199 is verified against temporal · go affected versions: 1.29.0 – 1.29.4 (and 1.30.0 – 1.30.2) fixed version: 1.29.5 vulnerability class: Auth Bypass This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00184.

REPRO-2026-00184 temporal · go Auth Bypass Variant found May 28, 2026 CVE entry .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 72m 49s
Tool calls 401
Spend $6.46
Affected 1.29.0 – 1.29.4 (and 1.30.0 – 1.30.2)
Fixed in 1.29.5
$ pruva-verify REPRO-2026-00184
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00184/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

The original NVD blurb and several early advisories claimed a frontend gRPC cross-namespace signal bypass. That vector is incorrect — the public frontend authorization interceptor correctly validates Request.Namespace against the caller's claims on both v1.29.4 and v1.29.5.

The actual vulnerability lives in the per-namespace batcher worker (service/worker/batcher/activities.go). BatchActivityWithProtobuf receives a BatchOperationInput protobuf and, on v1.29.4, calls checkNamespaceID(batchParams.NamespaceId). This validates only the namespace ID field, but the activity then forwards batchParams.Request.Namespace (a namespace name) to the internal frontend client. The internal frontend runs with NoopClaimMapper → RoleAdmin, so any namespace string supplied by the attacker is executed unconditionally.

An attacker who holds a valid auth token (writer role) for namespace A can submit a batch operation whose protobuf carries:

  • NamespaceId = the worker-bound ID for namespace A (passes checkNamespaceID)
  • Request.Namespace = the name of victim namespace B

The batcher worker then signals, cancels, terminates, or resets workflows in namespace B without re-validating the caller's authorization for B.

The bug is authenticated (requires valid credentials for at least one namespace on the cluster). It affects multi-tenant clusters that expose batch operations. The impact is an integrity violation against victim workflows (signal/reset/terminate), not data exfiltration.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.