{
  "cve": "CVE-2026-5199",
  "validation_status": "confirmed",
  "vulnerability_exists": true,
  "fix_verified": true,
  "vulnerable_version": "v1.29.4",
  "fixed_version": "v1.29.5",
  "reproduction_successful": true,
  "reproduction_method": "Runtime reproduction against real Temporal Server binary (SQLite in-memory)",
  "details": {
    "issue_type": "CWE-285 Improper Authorization",
    "affected_component": "service/worker/batcher/activities.go - BatchActivityWithProtobuf",
    "root_cause": "BatchActivityWithProtobuf validated only batchParams.NamespaceId (UUID) via checkNamespaceID, but forwarded batchParams.Request.Namespace (name) to the internal frontend client. The internal frontend runs with NoopClaimMapper -> RoleAdmin, executing any namespace name unconditionally.",
    "exploit_scenario": "An authenticated attacker with writer access to namespace A crafts a BatchOperationInput where NamespaceId matches their own namespace (passes checkNamespaceID) but Request.Namespace targets victim namespace B. The batcher worker then signals/cancels/terminates/resets workflows in namespace B without authorization.",
    "fix_summary": "Commit 90738c6200 added a namespace-name check in startTaskProcessorProtobuf: it now verifies that the resolved namespace name matches batchParams.Request.Namespace before proceeding, closing the cross-namespace bypass.",
    "vulnerable_test_result": "Vulnerability reproduced successfully on v1.29.4 - forged BatchOperationInput caused cross-namespace workflow mutation.",
    "fixed_test_result": "Fix verified on v1.29.5 - same forged input was rejected/prevented from causing cross-namespace mutation."
  },
  "artifacts": {
    "rca_report": "repro/rca_report.md",
    "reproduction_script": "repro/reproduction_steps.sh",
    "runtime_manifest": "repro/runtime_manifest.json",
    "logs_directory": "logs/"
  },
  "timestamp": "2026-05-28T16:08:14Z"
}