go.temporal.io/server (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package go.temporal.io/server, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2025-8396: Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due…
CVE-2026-5724: The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are…
CVE-2025-14987: When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g…
CVE-2024-2689 — CVSS 4.4 (medium): Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to…
CVE-2023-3485 — CVSS 3.0 (low): Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access…
CVE-2026-5199: A writer role user in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the…
CVE-2025-14986: When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded…