Unauthorized Access in Temporal gRPC Server Stream for Workflow Service by Temporal
CVE-2026-5724

6.3MEDIUM

Key Information:

Vendor

Temporal Technologies, Inc.

Status
Temporal
Vendor
CVE Published:
10 April 2026

What is CVE-2026-5724?

The gRPC server of Temporal improperly implements authorization in its streaming interceptor chain. Specifically, the absence of an authorization interceptor means that the AdminService/StreamWorkflowReplicationMessages endpoint permits requests without credentials. This poses significant security risks as it allows attackers with network access to breach the replication stream. While unary RPCs enforce authentication and authorization effectively, the streaming endpoint on the same port as the WorkflowService does not, making it vulnerable to potential data exfiltration. An attacker must know the specific cluster configuration to exploit this vulnerability effectively.

Affected Version(s)

temporal 1.24.0 <= 1.30.3

temporal 1.24.0 <= 1.30.3

temporal 1.24.0 <= 1.29.5

References

https://github.com/temporalio/temporal/releases/tag/v1.29.6
patch
https://github.com/temporalio/temporal/releases/tag/v1.30.4
patch
https://github.com/temporalio/temporal/releases/tag/v1.28.4
patch

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.