CVE-2026-5199: Temporal Server: batcher worker cross-namespace authorization bypass (BatchActivityWithProtobuf)
CVE-2026-5199 is verified against temporal · go affected versions: 1.29.0 – 1.29.4 (and 1.30.0 – 1.30.2) fixed version: 1.29.5 vulnerability class: Auth Bypass This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00184.
pruva-verify REPRO-2026-00184 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00184/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh The original NVD blurb and several early advisories claimed a frontend gRPC cross-namespace signal bypass. That vector is incorrect — the public frontend authorization interceptor correctly validates Request.Namespace against the caller's claims on both v1.29.4 and v1.29.5.
The actual vulnerability lives in the per-namespace batcher worker (service/worker/batcher/activities.go). BatchActivityWithProtobuf receives a BatchOperationInput protobuf and, on v1.29.4, calls checkNamespaceID(batchParams.NamespaceId). This validates only the namespace ID field, but the activity then forwards batchParams.Request.Namespace (a namespace name) to the internal frontend client. The internal frontend runs with NoopClaimMapper → RoleAdmin, so any namespace string supplied by the attacker is executed unconditionally.
An attacker who holds a valid auth token (writer role) for namespace A can submit a batch operation whose protobuf carries:
NamespaceId= the worker-bound ID for namespace A (passescheckNamespaceID)Request.Namespace= the name of victim namespace B
The batcher worker then signals, cancels, terminates, or resets workflows in namespace B without re-validating the caller's authorization for B.
The bug is authenticated (requires valid credentials for at least one namespace on the cluster). It affects multi-tenant clusters that expose batch operations. The impact is an integrity violation against victim workflows (signal/reset/terminate), not data exfiltration.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.