February 6, 2026
Bundle up, the leaks are coming
Masked namespace vulnerability in Temporal
One request, two identities — devs love it, security calls foul
TLDR: A researcher found a mix‑up in Temporal’s all‑in‑one request that could prep data for one customer but save it under another, risking data leakage. Readers are asking how to add extra protections on the client side, reigniting the classic tug‑of‑war between developer convenience and security caution.
A researcher just flagged a “who am I, really?” bug in Temporal — the behind‑the‑scenes engine trusted by giants like Netflix and Stripe — and the internet is having a field day. The flaw lived in a fancy “bundle it all in one go” endpoint that let one request carry two different identities: the one you logged in with, and the one hidden inside the payload. In plain English: the system checked your badge at the door, then prepped the paperwork using someone else’s name. Yikes.
Commenters zeroed in on the vibes: convenience versus caution. Developers swooned over the efficiency of bundled requests, while security folks cried “classic complexity trap.” The top‑noted reaction from haneul lamented how a “relatively simple oversight” can risk cross‑tenant leakage — code for “your neighbors’ stuff might mix with yours” — and asked the million‑dollar question: is there any client‑side safety net to stop this when the provider slips? That turned the thread into a pragmatic debate about defense‑in‑depth: guardrails on both sides or bust.
Meanwhile, meme lords grabbed the write‑up’s own title “Two Faces” and ran with it, dubbing the endpoint “Two‑Face as a Service.” Others joked that bundling is “one request to rule them all,” right up until it rules your data. Drama, jokes, and a sobering takeaway: complexity bites — hard.
Key Points
- •CVE-2025-14986 is an identity-binding vulnerability in Temporal’s ExecuteMultiOperation endpoint.
- •Temporal authorizes the outer request’s namespace but inner operations can carry a different namespace used during preparation.
- •The system prepares data using the untrusted inner namespace while routing/persisting using the verified outer namespaceID.
- •The discrepancy can cause cross-tenant leakage in bundled multi-operation requests (StartWorkflow + UpdateWorkflow).
- •Temporal is widely used by companies like Netflix, Stripe, and Datadog, amplifying the potential impact.