{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5724", "assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968", "state": "PUBLISHED", "assignerShortName": "Temporal", "dateReserved": "2026-04-06T21:59:05.129Z", "datePublished": "2026-04-10T21:06:31.788Z", "dateUpdated": "2026-04-13T16:10:49.014Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "61241ed8-fa44-4f23-92db-b8c443751968", "shortName": "Temporal", "dateUpdated": "2026-04-10T21:22:30.134Z"}, "title": "Missing Authentication on Streaming gRPC Replication Endpoint", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "affected": [{"vendor": "Temporal Technologies, Inc.", "product": "temporal", "collectionURL": "https://github.com", "packageName": "temporal", "repo": "https://github.com/temporalio/temporal", "versions": [{"status": "affected", "version": "1.24.0", "lessThanOrEqual": "1.30.3", "versionType": "semver"}, {"status": "affected", "version": "1.24.0", "lessThanOrEqual": "1.29.5", "versionType": "semver"}, {"status": "affected", "version": "1.24.0", "lessThanOrEqual": "1.28.3", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a\u00a0ClaimMapper\u00a0and\u00a0Authorizer\u00a0are configured, unary RPCs enforce authentication and authorization, but the streaming\u00a0AdminService/StreamWorkflowReplicationMessages\u00a0endpoint accepted requests without credentials. This endpoint is registered on the same port as\u00a0WorkflowService\u00a0and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but\u00a0 only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data.\n\n\n\n\nTemporal Cloud is not affected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a&nbsp;<code>ClaimMapper</code>&nbsp;and&nbsp;<code>Authorizer</code>&nbsp;are configured, unary RPCs enforce authentication and authorization, but the streaming&nbsp;<code>AdminService/StreamWorkflowReplicationMessages</code>&nbsp;endpoint accepted requests without credentials. This endpoint is registered on the same port as&nbsp;<code>WorkflowService</code>&nbsp;and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but&nbsp; only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data.</div><div><br></div><div>Temporal Cloud is not affected.<span></span></div>"}]}], "references": [{"url": "https://github.com/temporalio/temporal/releases/tag/v1.29.6", "tags": ["patch"]}, {"url": "https://github.com/temporalio/temporal/releases/tag/v1.30.4", "tags": ["patch"]}, {"url": "https://github.com/temporalio/temporal/releases/tag/v1.28.4", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "Automatable": "NO", "Recovery": "USER", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/S:N/AU:N/R:U/RE:L"}}], "credits": [{"lang": "en", "value": "Tiberiu Baron of UiPath's security team", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T16:10:36.242097Z", "id": "CVE-2026-5724", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:10:49.014Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5724", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T16:10:36.242097Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:10:42.117Z"}}], "cna": {"title": "Missing Authentication on Streaming gRPC Replication Endpoint", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Tiberiu Baron of UiPath's security team"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 6.3, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/S:N/AU:N/R:U/RE:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/temporalio/temporal", "vendor": "Temporal Technologies, Inc.", "product": "temporal", "versions": [{"status": "affected", "version": "1.24.0", "versionType": "semver", "lessThanOrEqual": "1.30.3"}, {"status": "affected", "version": "1.24.0", "versionType": "semver", "lessThanOrEqual": "1.29.5"}, {"status": "affected", "version": "1.24.0", "versionType": "semver", "lessThanOrEqual": "1.28.3"}], "packageName": "temporal", "collectionURL": "https://github.com", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/temporalio/temporal/releases/tag/v1.29.6", "tags": ["patch"]}, {"url": "https://github.com/temporalio/temporal/releases/tag/v1.30.4", "tags": ["patch"]}, {"url": "https://github.com/temporalio/temporal/releases/tag/v1.28.4", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a\u00a0ClaimMapper\u00a0and\u00a0Authorizer\u00a0are configured, unary RPCs enforce authentication and authorization, but the streaming\u00a0AdminService/StreamWorkflowReplicationMessages\u00a0endpoint accepted requests without credentials. This endpoint is registered on the same port as\u00a0WorkflowService\u00a0and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but\u00a0 only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data.\n\n\n\n\nTemporal Cloud is not affected.", "supportingMedia": [{"type": "text/html", "value": "<div>The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a&nbsp;<code>ClaimMapper</code>&nbsp;and&nbsp;<code>Authorizer</code>&nbsp;are configured, unary RPCs enforce authentication and authorization, but the streaming&nbsp;<code>AdminService/StreamWorkflowReplicationMessages</code>&nbsp;endpoint accepted requests without credentials. This endpoint is registered on the same port as&nbsp;<code>WorkflowService</code>&nbsp;and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but&nbsp; only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data.</div><div><br></div><div>Temporal Cloud is not affected.<span></span></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function"}]}], "providerMetadata": {"orgId": "61241ed8-fa44-4f23-92db-b8c443751968", "shortName": "Temporal", "dateUpdated": "2026-04-10T21:22:30.134Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5724", "state": "PUBLISHED", "dateUpdated": "2026-04-13T16:10:49.014Z", "dateReserved": "2026-04-06T21:59:05.129Z", "assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968", "datePublished": "2026-04-10T21:06:31.788Z", "assignerShortName": "Temporal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a\u00a0ClaimMapper\u00a0and\u00a0Authorizer\u00a0are configured, unary RPCs enforce authentication and authorization, but the streaming\u00a0AdminService/StreamWorkflowReplicationMessages\u00a0endpoint accepted requests without credentials. This endpoint is registered on the same port as\u00a0WorkflowService\u00a0and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but\u00a0 only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data.\n\n\n\n\nTemporal Cloud is not affected."}], "id": "CVE-2026-5724", "lastModified": "2026-04-13T15:02:06.187", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "security@temporal.io", "type": "Secondary"}]}, "published": "2026-04-10T21:16:28.497", "references": [{"source": "security@temporal.io", "url": "https://github.com/temporalio/temporal/releases/tag/v1.28.4"}, {"source": "security@temporal.io", "url": "https://github.com/temporalio/temporal/releases/tag/v1.29.6"}, {"source": "security@temporal.io", "url": "https://github.com/temporalio/temporal/releases/tag/v1.30.4"}], "sourceIdentifier": "security@temporal.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@temporal.io", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.24.0,1.30.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.24.0,1.29.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.24.0,1.28.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "temporal", "source": "cna", "vendor": "Temporal Technologies, Inc."}, "product": "temporal", "vendor": "temporal"}], "analysis": {"en": {"generated_at": "2026-04-10T22:20:56.284034+00:00", "value": {"mitigation_remediation": ["Upgrade Temporal to v1.28.4 or later, which includes the missing authentication fix", "Ensure that replication targets are only configured for trusted clusters and that cluster IDs and peer membership checks are correctly enforced", "Restrict network access to the Temporal frontend gRPC port to trusted hosts or subnetworks to limit attacker reach", "Enable monitoring for unexpected replication stream activity and audit replication logs for unauthorized data transfers"], "summary": {"action": "Immediate Patch", "impact": "Authentication bypass permitting potential data exfiltration via replication stream"}, "threat_synthesis": {"affected_systems": "Executables from Temporal Technologies, Inc. marked as temporal are impacted. Any deployment of Temporal that includes a replication target and uses the default streaming replication endpoint is vulnerable until an update is applied. The patch versions listed in the advisory \u2013 effectively v1.28.4 and all later releases \u2013 have addressed the issue.", "description_and_impact": "The vulnerability originates from missing authentication in the frontend gRPC server\u2019s streaming interceptor chain. When a ClaimMapper and Authorizer are configured, unary RPCs require credentials, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint does not enforce authentication. Consequently, an attacker with access to the frontend port can open the replication stream without credentials. Data exfiltration is possible, yet it requires a correctly configured replication target and the attacker\u2019s knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before transmitting data.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively exploited at scale. The most likely attack vector is a malicious entity that can reach the frontend gRPC port, which is often exposed to internal or compromised networks. Exploitation also mandates knowledge of the cluster configuration and a functional replication target; therefore, risk is higher in environments where replication is enabled and not properly isolated. Users should treat the vulnerability as potentially serious if sensitive workflow history is present."}}}}, "created": "2026-04-13T12:42:31.438328+00:00", "updated": "2026-04-13T12:57:19.193618+00:00", "vendors": ["temporal", "temporal$PRODUCT$temporal"]}