Namespace Privilege Escalation in Temporal Server by Temporal Technologies
CVE-2026-5199

2.3LOW

Key Information:

Vendor: Temporal Technologies, Inc.
Status: Temporal
Vendor: CVE Published:; 1 April 2026

🔔 Create Temporal Technologies, Inc. Vulnerability Alert

What is CVE-2026-5199?

A vulnerability in Temporal Server enables a user with writer role access in an attacker-controlled namespace to manipulate workflows or activities within a victim's namespace. This is achieved by exploiting a bug in version 1.29.0 that permitted the attacker to control the namespace name value erroneously. The flaw arises because the batch activity code validated the namespace ID but failed to verify the namespace name against the worker's bound namespace. As a result, the worker's privileged credentials can be leveraged to operate on arbitrary namespaces. The vulnerability is particularly concerning in configurations where internal components have cross-namespace authorizations, such as in deployments of the internal-frontend service.

Affected Version(s)

temporal 1.29.0 < 1.29.5

temporal 1.30.0 < 1.30.3

References

https://github.com/temporalio/temporal/releases/tag/v1.29.5

https://github.com/temporalio/temporal/releases/tag/v1.30.3

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-5199 Data

JSON