The Masked Namespace Vulnerability In Temporal CVE-2025-14986
Summary
Depthfirst reports a masked namespace vulnerability in Temporal (CVE-2025-14986) that allows a Confused Deputy attack by mixing verified outer namespace with untrusted inner namespace during request preparation. The article details two exploitation paths, a patch that enforces inner==outer namespace, and a timeline of disclosure and fixes, highlighting implications for multi-tenant SaaS and policy governance.