{
  "variant_id": "CVE-2026-5199-variant-analysis",
  "created_at": "2026-05-28T17:00:00Z",
  "variant_summary": "Systematic variant analysis of CVE-2026-5199 (Temporal Server batcher worker cross-namespace authorization bypass). Seven distinct variant hypotheses were tested against v1.29.4 (vulnerable) and v1.29.5 (fixed). No bypass or alternate trigger was found on the fixed version. The fix is comprehensive.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/temporalio/temporal",
  "submitted_target": {
    "target_kind": "git_commit",
    "commit_sha": "bca762906017547df7f248a1da0a3c2da46acdf3",
    "version": "v1.29.4",
    "ref": "v1.29.4",
    "display": "v1.29.4 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "68c602252f3e1929026e5988da881933a4f7b778",
    "version": "v1.29.5",
    "ref": "v1.29.5",
    "display": "v1.29.5 (fixed)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "BatchActivityWithProtobuf in service/worker/batcher/activities.go \u2014 multiple operation types and edge cases tested (SIGNAL, CANCEL, RESET, nil request, empty namespace, case-different name)",
  "validated_surface": "All tested surfaces were blocked by checkNamespaceProtobuf and the worker-bound namespace derivation in v1.29.5.",
  "required_entrypoint_kind": "activity",
  "required_entrypoint_detail": "BatchActivityWithProtobuf activity invoked via BatchWorkflowProtobuf or directly on the per-namespace worker task queue",
  "attacker_controlled_input": "BatchOperationInput protobuf with NamespaceId and Request.Namespace fields",
  "trigger_path": "service/worker/batcher/activities.go:BatchActivityWithProtobuf \u2192 checkNamespaceProtobuf \u2192 startTaskProcessorProtobuf \u2192 frontendClient.*",
  "observed_impact_class": "authorization_bypass",
  "exploitability_confidence": "none_found",
  "evidence_scope": "unit_tests",
  "runtime_manifest_present": false,
  "end_to_end_target_reached": false,
  "inferred": false,
  "blocking_mitigation": "Commit 90738c6200 added checkNamespaceProtobuf which validates both NamespaceId and Request.Namespace against the worker-bound namespace, and derives all downstream namespace usage from a.namespace.String() rather than the request.",
  "file_path": "service/worker/batcher/activities.go",
  "line_start": 277,
  "line_end": 296,
  "secondary_anchors": [
    {
      "file_path": "service/worker/batcher/activities.go",
      "line_start": 382,
      "line_end": 446
    },
    {
      "file_path": "service/worker/batcher/activities_namespace_test.go",
      "line_start": 1,
      "line_end": 131
    }
  ],
  "review_scope_paths": [
    "service/worker/batcher/",
    "service/worker/scheduler/",
    "service/worker/deployment/",
    "service/worker/workerdeployment/"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "repro_log": "logs/variant_v1.29.4.log",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh",
      "vuln_variant/variant_test.go"
    ]
  }
}