TemporalIO SDK Version Constraint Blocks Downstream Access to Critical Rust CVE Patches

A security investigation into the cloudsql-postgres-app image has uncovered that four unpatched Rust vulnerabilities—including one rated HIGH severity—were not living in platform infrastructure as originally reported, but inside the pre-compiled Rust binary bundled within the temporalio Python wheel. The finding exposed a critical path dependency: the SDK's own version constraint `>=1.7.1,<1.24.0` effectively locked all downstream applications out of patched releases, making platform-side remediation impossible.

The root cause chain runs through three layers: cloudsql-postgres-app depends on application-sdk, which depends on temporalio, which bundles the vulnerable Rust binary. The bundled quinn-proto 0.11.12 carried CVE-2026-31812 (HIGH), while rustls-webpki 0.103.4 and tar 0.4.44 contained GHSA-pwjx-qhcg-rvj4 and CVE-2026-33055 respectively (both MEDIUM). The original ticket attributed the findings to app-runtime-base:3, a misattribution that delayed proper remediation until investigation confirmed the vulnerabilities existed inside the SDK's own bundled artifacts.

The case raises questions about how pre-compiled binary distribution in Python wheels shifts vulnerability ownership upstream. SDK-level version constraints that block patched releases create security dead zones for all downstream consumers. Organizations relying on temporalio in workflows tied to cloudsql-postgres-app should verify their lockfiles reflect the corrected dependency state. The incident also highlights how automated security scanning may underreport exposure when vulnerabilities live inside bundled artifacts rather than direct package dependencies.