CVE Catalog

CVE-2026-5724

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.53%

41th percentile - higher than 41% of all known CVEs

Summary

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. Configured ClaimMapper and Authorizer were bypassed for the AdminService/StreamWorkflowReplicationMessages endpoint, allowing unauthenticated access.

Risk Assessment

An attacker with network access to the frontend port can open the replication stream without authentication, potentially leading to data exfiltration if the cluster configuration is known and a valid replication target is configured.

Recommendation

Immediately upgrade Temporal Server to version 1.28.4, 1.29.6, 1.30.4, 1.31.2, or 1.32.0 (or later) depending on your release line.

Original NVD description (English source)

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but  only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data. The fix was applied per release line: it is present in 1.28.4, 1.29.6, 1.30.4, 1.31.2, and 1.32.0 and later releases on each line. Releases 1.31.0 and 1.31.1 do not contain the fix and are affected. Temporal Cloud is not affected.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS