PatchSiren cyber security CVE debrief
CVE-2026-5724 Temporal Technologies, Inc. CVE debrief
The CVE record describes a vulnerability in Temporal's frontend gRPC server. The server's streaming interceptor chain did not include the authorization interceptor. This omission allowed unauthenticated access to the streaming AdminService/StreamWorkflowReplicationMessages endpoint. The endpoint, registered on the same port as WorkflowService, could not be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. However, data exfiltration is only possible if a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration. This is because the history service validates cluster IDs and peer membership before returning replication data.
- Vendor
- Temporal Technologies, Inc.
- Product
- temporal
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-10
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-04-10
- Advisory updated
- 2026-07-08
Who should care
Users of Temporal, especially those who have configured a ClaimMapper and Authorizer, should verify their configurations and ensure they are running a patched version of Temporal. This includes users of Temporal Cloud, although it is noted that Temporal Cloud is not affected.
Technical summary
The vulnerability exists in the frontend gRPC server's streaming interceptor chain, which failed to include the authorization interceptor. This allowed unauthenticated access to the AdminService/StreamWorkflowReplicationMessages endpoint. The fix was applied in various releases: 1.28.4, 1.29.6, 1.30.4, 1.31.2, and 1.32.0 and later. Affected versions include 1.31.0 and 1.31.1. The CVSS score is 6.3, with a severity rating of MEDIUM.
Defensive priority
High priority should be given to patching affected versions of Temporal. Users should verify their configurations and ensure that they are running a patched version. Compensating controls, such as monitoring and exception tracking, may also be necessary.
Recommended defensive actions
- Patch to a fixed version (1.28.4, 1.29.6, 1.30.4, 1.31.2, or 1.32.0 and later)
- Verify ClaimMapper and Authorizer configurations
- Monitor for suspicious activity
- Implement compensating controls
- Review configurations for exposed systems
- Track exceptions and retest remediated assets
- Validate cluster configurations and peer membership
Evidence notes
The CVE record and NVD detail provide information on the vulnerability and affected versions. The fixes are applied in various releases, and users should ensure they are running a patched version. Evidence is limited, and defenders should verify configurations, monitor for suspicious activity, and implement compensating controls. The history service validates cluster IDs and peer membership before returning replication data, limiting the potential for data exfiltration. However, an attacker with network access to the frontend port could open the replication stream without authentication if a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-10T21:16:28.497Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.