PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5724 Temporal Technologies, Inc. CVE debrief

The CVE record describes a vulnerability in Temporal's frontend gRPC server. The server's streaming interceptor chain did not include the authorization interceptor. This omission allowed unauthenticated access to the streaming AdminService/StreamWorkflowReplicationMessages endpoint. The endpoint, registered on the same port as WorkflowService, could not be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. However, data exfiltration is only possible if a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration. This is because the history service validates cluster IDs and peer membership before returning replication data.

Vendor
Temporal Technologies, Inc.
Product
temporal
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-10
Original CVE updated
2026-07-08
Advisory published
2026-04-10
Advisory updated
2026-07-08

Who should care

Users of Temporal, especially those who have configured a ClaimMapper and Authorizer, should verify their configurations and ensure they are running a patched version of Temporal. This includes users of Temporal Cloud, although it is noted that Temporal Cloud is not affected.

Technical summary

The vulnerability exists in the frontend gRPC server's streaming interceptor chain, which failed to include the authorization interceptor. This allowed unauthenticated access to the AdminService/StreamWorkflowReplicationMessages endpoint. The fix was applied in various releases: 1.28.4, 1.29.6, 1.30.4, 1.31.2, and 1.32.0 and later. Affected versions include 1.31.0 and 1.31.1. The CVSS score is 6.3, with a severity rating of MEDIUM.

Defensive priority

High priority should be given to patching affected versions of Temporal. Users should verify their configurations and ensure that they are running a patched version. Compensating controls, such as monitoring and exception tracking, may also be necessary.

Recommended defensive actions

  • Patch to a fixed version (1.28.4, 1.29.6, 1.30.4, 1.31.2, or 1.32.0 and later)
  • Verify ClaimMapper and Authorizer configurations
  • Monitor for suspicious activity
  • Implement compensating controls
  • Review configurations for exposed systems
  • Track exceptions and retest remediated assets
  • Validate cluster configurations and peer membership

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and affected versions. The fixes are applied in various releases, and users should ensure they are running a patched version. Evidence is limited, and defenders should verify configurations, monitor for suspicious activity, and implement compensating controls. The history service validates cluster IDs and peer membership before returning replication data, limiting the potential for data exfiltration. However, an attacker with network access to the frontend port could open the replication stream without authentication if a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-10T21:16:28.497Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.