CVE-2026-5724
Received Received - Intake
Unauthorized Access in Temporal Frontend gRPC Streaming Endpoint

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: Temporal Technologies Inc.

Description
The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but  only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data. Temporal Cloud is not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5724
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
temporal temporal 1.30.4
temporal temporal 1.29.6
temporal temporal 1.28.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists because the frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. While unary RPCs enforce authentication and authorization when a ClaimMapper and Authorizer are configured, the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without requiring credentials.

This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. As a result, an attacker with network access to the frontend port could open the replication stream without authentication.

However, data exfiltration is only possible if a replication target is correctly configured and the attacker knows the cluster configuration, since the history service validates cluster IDs and peer membership before returning replication data.

Impact Analysis

An attacker with network access to the frontend port could exploit this vulnerability to open the replication stream without authentication.

This could lead to potential data exfiltration if the attacker has knowledge of the cluster configuration and if a replication target is properly configured.

Compliance Impact

This vulnerability allows unauthorized access to the streaming AdminService/StreamWorkflowReplicationMessages endpoint without authentication, potentially enabling data exfiltration if an attacker has network access and knowledge of the cluster configuration.

Such unauthorized data access and exfiltration could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and proper authentication and authorization mechanisms.

However, the vulnerability is limited by the need for a correctly configured replication target and cluster configuration knowledge, and the history service validates cluster IDs and peer membership before returning replication data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5724. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart