Skip to main content

CVE-2026-5724

| EUVDEUVD-2026-21607 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-10 security@temporal.io GHSA-q98v-9f9w-f49q
6.3
CVSS 4.0 · Vendor: temporal
Share

Severity by source

Vendor (temporal) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:X

Primary rating from Vendor (temporal) · only source for this CVE.

CVSS VectorVendor: temporal

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
N

Lifecycle Timeline

3
EUVD ID Assigned
Apr 10, 2026 - 21:22 euvd
EUVD-2026-21607
Analysis Generated
Apr 10, 2026 - 21:22 vuln.today
CVE Published
Apr 10, 2026 - 21:16 nvd
MEDIUM 6.3

DescriptionCVE.org

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but  only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data.

Temporal Cloud is not affected.

AnalysisAI

Temporal's frontend gRPC server fails to enforce authentication and authorization on the StreamWorkflowReplicationMessages endpoint, allowing unauthenticated network attackers to establish replication streams and potentially exfiltrate workflow data when replication targets are configured. The vulnerability affects Temporal versions prior to 1.28.4, 1.29.6, and 1.30.4; Temporal Cloud deployments are unaffected. While exploitation requires knowledge of cluster configuration and correctly configured replication targets, the authentication bypass on a network-accessible service combined with a moderate CVSS score (6.3) reflects the practical risk of unauthorized data access in multi-tenant or sensitive workflow environments.

Technical ContextAI

Temporal's frontend gRPC service implements streaming RPCs for workflow replication via the AdminService/StreamWorkflowReplicationMessages endpoint. The vulnerability stems from missing authorization interceptor middleware in the streaming interceptor chain (CWE-306: Missing Authentication), distinct from unary RPC handlers which properly enforce authentication via ClaimMapper and Authorizer configurations. The gRPC streaming endpoint is bound to the same frontend port as WorkflowService and cannot be disabled independently, creating an always-enabled unauthenticated pathway. The replication mechanism itself includes downstream validation-the history service checks cluster IDs and peer membership before returning sensitive replication data-but this secondary control is bypassed at the authentication layer, leaving the replication stream accessible without credentials.

RemediationAI

Vendor-released patches are available: upgrade to Temporal 1.28.4 or later (for 1.28.x branch), 1.29.6 or later (for 1.29.x branch), or 1.30.4 or later (for 1.30.x branch). The fix adds the authorization interceptor to the streaming interceptor chain for gRPC endpoints. Organizations unable to upgrade immediately should implement network-level access controls to restrict access to the Temporal frontend gRPC port (default 7233) to trusted internal networks only, and verify that replication targets are disabled or isolated if not required. For detailed patch information and release notes, consult https://github.com/temporalio/temporal/releases.

Share

CVE-2026-5724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy