CVE-2026-5724: Missing Authentication in Temporal gRPC Streaming Endpoint

Vulnerability ID: CVE-2026-5724
CVSS Score: 6.3
Published: 2026-04-10

Temporal's go.temporal.io/server package contains a missing authentication vulnerability in its frontend gRPC server. The streaming interceptor chain omits the authorization interceptor, allowing unauthenticated network attackers to access the AdminService/StreamWorkflowReplicationMessages endpoint and potentially exfiltrate workflow replication data.

TL;DR

A missing interceptor in Temporal's gRPC streaming configuration allows unauthenticated access to a cross-cluster replication endpoint, enabling potential data exfiltration if the attacker possesses internal cluster routing configurations.

Technical Details

• CWE ID: CWE-306
• Attack Vector: Network
• Authentication Required: None
• CVSS v4.0 Score: 6.3 (Medium)
• EPSS Score: 0.10%
• Exploit Status: None
• Impact: Conditional Data Exfiltration

Affected Systems

• Temporal Server (go.temporal.io/server)
• Temporal Frontend Service
• go.temporal.io/server: 1.24.0 <= v < 1.28.4 (Fixed in: 1.28.4)
• go.temporal.io/server: 1.29.0 <= v < 1.29.6 (Fixed in: 1.29.6)
• go.temporal.io/server: 1.30.0 <= v < 1.30.4 (Fixed in: 1.30.4)

Mitigation Strategies

• Upgrade the Temporal server to a patched release (1.28.4, 1.29.6, or 1.30.4).
• Implement network segmentation to restrict access to the Temporal frontend port strictly to trusted internal traffic and verified peer clusters.
• Monitor incoming gRPC traffic for unexpected streams directed at the AdminService endpoint.

Remediation Steps:

1. Verify the current Temporal server version deployed in your environment.
2. Ensure replication clients are configured with valid credentials compatible with the ClaimMapper and Authorizer.
3. Upgrade the Temporal server deployment to version 1.28.4, 1.29.6, or 1.30.4.
4. If replication fails during the upgrade cycle, temporarily enable the 'system.disableStreamingAuthorizer' dynamic configuration flag to restore service.
5. Rotate credentials and fully disable the fallback configuration flag once operations normalize.

References

• GitHub Advisory GHSA-q98v-9f9w-f49q
• NVD CVE-2026-5724 Detail
• NixOS Issue tracking Temporal update

Read the full report for CVE-2026-5724 on our website for more details including interactive diagrams and full exploit analysis.