Listen to this Post
How the mentioned CVE works:
The Temporal frontend gRPC server processes incoming API calls. It uses an interceptor chain to handle tasks like authentication, authorization, and logging. Unary RPCs (single request-response) correctly include the authorization interceptor. However, the streaming interceptor chain for the AdminService/StreamWorkflowReplicationMessages endpoint did not include this interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but this streaming endpoint accepted requests without credentials. The endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port can open the replication stream without authentication. Data exfiltration is possible only when a replication target is correctly configured and the attacker knows the cluster configuration. The history service validates cluster IDs and peer membership before returning replication data. Temporal Cloud is not affected. The vulnerability is fixed in versions 1.28.4, 1.29.6, and 1.30.4.
dailycve form:
Platform: Temporal
Version: <1.28.4, 1.29.0-135.0-<1.29.6, 1.30.0-143.0-<1.30.4
Vulnerability: Authentication Bypass
Severity: Medium
Date: 2026-04-10
Prediction: 2026-04-10
What Undercode Say:
Check Temporal version
temporal-server –version
Test for missing auth on streaming endpoint (requires network access)
grpcurl -plaintext -d ‘{}’ :7233 temporal.api.admin.v1.AdminService/StreamWorkflowReplicationMessages
Verify interceptor chain in source (temporal/service/frontend/interceptor.go)
grep -A 5 “StreamInterceptor” temporal/service/frontend/interceptor.go
Monitor logs for unauthorized stream attempts
journalctl -u temporal-server | grep “StreamWorkflowReplicationMessages”
Exploit:
An unauthenticated attacker can open a gRPC stream to the AdminService/StreamWorkflowReplicationMessages endpoint. The attacker does not need valid credentials. If the cluster has a configured replication target and the attacker knows the cluster configuration, they can exfiltrate replication data.
Protection from this CVE:
Upgrade to Temporal versions 1.28.4, 1.29.6, or 1.30.4. If upgrading is not possible, restrict network access to the frontend port (default 7233) to trusted sources. Monitor for unexpected connections to the streaming endpoint. For self-hosted deployments, ensure the replication target is not configured unless absolutely necessary.
Impact:
An unauthenticated attacker can open a replication stream, leading to potential data exfiltration. The impact is limited because the attacker needs knowledge of the cluster configuration and a valid replication target. However, the missing authentication bypasses a critical security control.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

