Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-5724

Temporal does not enforce authentication and authorization for the streaming AdminService/StreamWorkflowReplicationMessages endpoint
Back to all
CVE

CVE-2026-5724

Temporal does not enforce authentication and authorization for the streaming AdminService/StreamWorkflowReplicationMessages endpoint

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but  only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data.

Temporal Cloud is not affected.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:X
C
H
U
0
-
C
H
U
7.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Related Resources

No items found.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-5724, https://github.com/temporalio/temporal, https://github.com/temporalio/temporal/releases/tag/v1.28.4, https://github.com/temporalio/temporal/releases/tag/v1.29.6, https://github.com/temporalio/temporal/releases/tag/v1.30.4

Severity

7.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.2
EPSS Probability
0.00037%
EPSS Percentile
0.11364%
Introduced Version
0,v1.31.0,v1.30.0,v1.29.0,v1.21.0,v0.0.0-20230323174203-5210ad4c2957
Fix Available
1.28.4,v1.32.0-155.0,v1.30.4,v1.29.6,v1.28.4,v0.0.0-20260408003102-3ab1eb25e7fc

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading