Nixpkgs security tracker

Untriaged

Permalink CVE-2026-5724

created 4 days, 8 hours ago

Missing Authentication on Streaming gRPC Replication Endpoint

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data. Temporal Cloud is not affected.

References

Affected products

temporal

=<1.30.3
=<1.29.5
=<1.28.3

Matching in nixpkgs

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

nixos-unstable 1.30.3
- nixpkgs-unstable 1.30.3
- nixos-unstable-small 1.30.3
nixos-25.11 1.29.4
- nixos-25.11-small 1.29.4
- nixpkgs-25.11-darwin 1.29.4

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

nixos-unstable 1.6.2
- nixpkgs-unstable 1.6.2
- nixos-unstable-small 1.6.2
nixos-25.11 1.5.1
- nixos-25.11-small 1.5.1
- nixpkgs-25.11-darwin 1.5.1

pkgs.temporal_capi

A Rust implementation of ECMAScript's Temporal API

nixos-unstable 0.2.2
- nixpkgs-unstable 0.2.2
- nixos-unstable-small 0.2.2
nixos-25.11 0.1.2
- nixos-25.11-small 0.1.2
- nixpkgs-25.11-darwin 0.1.2

pkgs.temporal-ui-server

Golang Server for Temporal Web UI

nixos-unstable 2.44.1
- nixpkgs-unstable 2.44.1
- nixos-unstable-small 2.44.1
nixos-25.11 2.43.3
- nixos-25.11-small 2.43.3
- nixpkgs-25.11-darwin 2.43.3

pkgs.python312Packages.temporalio

Temporal Python SDK

nixos-25.11 1.19.0
- nixos-25.11-small 1.19.0
- nixpkgs-25.11-darwin 1.19.0

pkgs.python313Packages.temporalio

Temporal Python SDK

nixos-unstable 1.23.0
- nixpkgs-unstable 1.23.0
- nixos-unstable-small 1.23.0
nixos-25.11 1.19.0
- nixos-25.11-small 1.19.0
- nixpkgs-25.11-darwin 1.19.0

pkgs.python314Packages.temporalio

Temporal Python SDK

nixos-unstable 1.23.0
- nixpkgs-unstable 1.23.0
- nixos-unstable-small 1.23.0

pkgs.haskellPackages.temporal-media

data types for temporal media

nixos-unstable 0.6.3
- nixpkgs-unstable 0.6.3
- nixos-unstable-small 0.6.3
nixos-25.11 0.6.3
- nixos-25.11-small 0.6.3
- nixpkgs-25.11-darwin 0.6.3

pkgs.terraform-providers.temporalcloud

None

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.1.1
- nixos-25.11-small 1.1.1
- nixpkgs-25.11-darwin 1.1.1

pkgs.postgresqlPackages.temporal_tables

Temporal Tables PostgreSQL Extension

nixos-unstable 1.2.2
- nixpkgs-unstable 1.2.2
- nixos-unstable-small 1.2.2
nixos-25.11 1.2.2
- nixos-25.11-small 1.2.2
- nixpkgs-25.11-darwin 1.2.2

pkgs.haskellPackages.temporal-api-protos

None

nixos-unstable 2025.10.1.0
- nixpkgs-unstable 2025.10.1.0
- nixos-unstable-small 2025.10.1.0
nixos-25.11 2025.10.1.0
- nixos-25.11-small 2025.10.1.0
- nixpkgs-25.11-darwin 2025.10.1.0