VYPR

Temporal

by Temporalio

Source repositories

CVEs (6)

  • CVE-2026-5724MedApr 10, 2026
    risk 0.41cvss epss 0.01

    The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endp…

  • CVE-2025-8396MedSep 15, 2025
    risk 0.38cvss epss 0.00

    Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed…

  • CVE-2025-14987MedDec 30, 2025
    risk 0.27cvss epss 0.00

    When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the…

  • CVE-2024-2689MedApr 3, 2024
    risk 0.22cvss 4.4epss 0.00

    Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task…

  • CVE-2026-5199LowApr 1, 2026
    risk 0.08cvss epss 0.00

    A writer role user in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster. Exploitation requires the attacker to know or guess specific victim workflow ID(s) and, for signal operations, signal names.…

  • CVE-2025-14986LowDec 30, 2025
    risk 0.01cvss epss 0.00

    When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows…