VDB

CVE-2026-5724

CVE-2026-5724 PUBLISHED CVSS 6.300000190734863 MEDIUM

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but  only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data. Temporal Cloud is not affected.

EPSS 0.04% · 11.3th percentile

Risk Scores

CVSS v4.0
6.300000190734863
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/S:N/AU:N/R:U/RE:L
EPSS Score
0.04%
11.3th percentile

Affected Products

VendorProductVersions
Temporal Technologies, Inc.temporal1.24.0, 1.24.0, 1.24.0

Timeline

  • Apr 10, 2026 CVE Published
  • Apr 10, 2026 PoC Published
  • Apr 11, 2026 EPSS Score
  • Apr 11, 2026 Security Advisory
  • Apr 13, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›