Security researcher Mav Levin discovered a masked namespace vulnerability (CVE-2025-14986) in Temporal, a workflow orchestration platform used by companies like Netflix and Stripe. The bug resided in Temporal's `ExecuteMultiOperation` endpoint, which allows bundling multiple operations. It exploited a discrepancy in how namespaces were handled during authorization and request processing.

This vulnerability allowed attackers to bypass security checks. Specifically, the system authorized a request based on one namespace but used a different, attacker-controlled namespace for internal operations like policy evaluation. This "Confused Deputy" scenario permitted cross-tenant data breaches and policy overrides, enabling unauthorized access or modification within the platform.

The exploit enabled attackers to either access the data of another tenant by violating isolation or circumvent security policies put in place by administrators. Temporal's fix, released in v1.27, enforces that the namespaces referenced in inner operations match the outer, authorized namespace, preventing the described misuse. The patch was deployed in late December 2025.

This incident underscores the importance of rigorous security audits, especially for platforms handling sensitive data and critical business processes. Developers should be cautious when implementing bundled APIs. Going forward, users of Temporal should ensure they are on a patched version to protect against this flaw. Updates and security patches are critical for any infrastructure-level software.