CVE-2026-5724
Received Received - Intake
Unauthorized Access in Temporal Frontend gRPC Streaming Endpoint

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: Temporal Technologies Inc.

Description
The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but  only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data. Temporal Cloud is not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-05-07
AI Q&A
2026-04-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5724
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
temporal temporal 1.30.4
temporal temporal 1.29.6
temporal temporal 1.28.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists because the frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. While unary RPCs enforce authentication and authorization when a ClaimMapper and Authorizer are configured, the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without requiring credentials.

This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. As a result, an attacker with network access to the frontend port could open the replication stream without authentication.

However, data exfiltration is only possible if a replication target is correctly configured and the attacker knows the cluster configuration, since the history service validates cluster IDs and peer membership before returning replication data.


How can this vulnerability impact me? :

An attacker with network access to the frontend port could exploit this vulnerability to open the replication stream without authentication.

This could lead to potential data exfiltration if the attacker has knowledge of the cluster configuration and if a replication target is properly configured.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthorized access to the streaming AdminService/StreamWorkflowReplicationMessages endpoint without authentication, potentially enabling data exfiltration if an attacker has network access and knowledge of the cluster configuration.

Such unauthorized data access and exfiltration could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and proper authentication and authorization mechanisms.

However, the vulnerability is limited by the need for a correctly configured replication target and cluster configuration knowledge, and the history service validates cluster IDs and peer membership before returning replication data.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart