CVE-2026-5724— Missing Authentication on Streaming gRPC Replication Endpoint

Missing Authentication on Streaming gRPC Replication Endpoint

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but  only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data. Temporal Cloud is not affected.

N/A

关键功能的认证机制缺失

Temporal 安全漏洞

Temporal是temporal.io开源的一个持久化执行平台。 temporal存在安全漏洞，该漏洞源于前端gRPC服务器的流式拦截器链未包含授权拦截器，导致配置ClaimMapper和Authorizer时，流式AdminService/StreamWorkflowReplicationMessages端点接受无凭据请求，可能允许具有网络访问权限的攻击者未经身份验证打开复制流，可能导致数据渗漏。

N/A

N/A