Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0944

NIXPKGS-2026-0944
published on
Permalink CVE-2026-5199
updated 8 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 12 hours ago
  • @LeSuisse removed package temporalite 8 hours ago
  • @LeSuisse removed package temporal-cli 8 hours ago
  • @LeSuisse removed package temporal_capi 8 hours ago
  • @LeSuisse removed package temporal-ui-server 8 hours ago
  • @LeSuisse removed package python312Packages.temporalio 8 hours ago
  • @LeSuisse removed package python313Packages.temporalio 8 hours ago
  • @LeSuisse removed package python314Packages.temporalio 8 hours ago
  • @LeSuisse removed package haskellPackages.temporal-media 8 hours ago
  • @LeSuisse removed package terraform-providers.temporalcloud 8 hours ago
  • @LeSuisse removed package postgresqlPackages.temporal_tables 8 hours ago
  • @LeSuisse removed package haskellPackages.temporal-api-protos 8 hours ago
  • @LeSuisse removed package postgresql13Packages.temporal_tables 8 hours ago
  • @LeSuisse removed package postgresql14Packages.temporal_tables 8 hours ago
  • @LeSuisse removed package postgresql15Packages.temporal_tables 8 hours ago
  • @LeSuisse removed package postgresql16Packages.temporal_tables 8 hours ago
  • @LeSuisse removed package postgresql17Packages.temporal_tables 8 hours ago
  • @LeSuisse removed package postgresql18Packages.temporal_tables 8 hours ago
  • @LeSuisse removed package haskellPackages.temporal-music-notation 8 hours ago
  • @LeSuisse removed package haskellPackages.temporal-music-notation-demo 8 hours ago
  • @LeSuisse removed package terraform-providers.temporalio_temporalcloud 8 hours ago
  • @LeSuisse removed package haskellPackages.temporal-music-notation-western 8 hours ago
  • @LeSuisse accepted 8 hours ago
  • @LeSuisse published on GitHub 8 hours ago
Cross Namespace Access via Batch Operation

A writer role user in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster. Exploitation requires the attacker to know or guess specific victim workflow ID(s) and, for signal operations, signal names. This was due to a bug introduced in Temporal Server v1.29.0 which inadvertently allowed an attacker to control the namespace name value instead of using the server's own trusted name value within the batch activity code. The batch activity validated the namespace ID but did not cross-check the namespace name against the worker's bound namespace, allowing the per-namespace worker's privileged credentials to operate on an arbitrary namespace. Exploitation requires a server configuration where internal components have cross-namespace authorization, such as deployment of the internal-frontend service or equivalent TLS-based authorization for internal identities. This vulnerability also impacted Temporal Cloud when the attacker and victim namespaces were on the same cell, with the same preconditions as self-hosted clusters.

Affected products

temporal
  • <1.30.3
  • <1.29.5

Matching in nixpkgs

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

Ignored packages (21)

pkgs.temporalite

Experimental distribution of Temporal that runs as a single process

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

Package maintainers

https://github.com/temporalio/temporal/releases/tag/v1.29.5
https://github.com/temporalio/temporal/releases/tag/v1.30.3