CVE-2025-8396

MEDIUM

Temporal Server < 1.26.3, 1.27.0-1.27.2, 1.28.0 - Denial of Service via Authorization Header Bounds Check

Title source: llm

Description

Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted.

References (3)

Core 3

Core References

Release Notes

https://github.com/temporalio/temporal/releases/tag/v1.26.3

Release Notes

https://github.com/temporalio/temporal/releases/tag/v1.27.3

Release Notes

https://github.com/temporalio/temporal/releases/tag/v1.28.1

Scores

CVSS v4 6.9

EPSS 0.0036

EPSS Percentile 27.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (4)

go.temporal.io/server 0 - 1.26.3Go

Temporal/OSS Server < 1.26.3

Temporal/OSS Server 1.27.0 - 1.27.3

Temporal/OSS Server 1.28.0 - 1.28.1

Published Sep 15, 2025

Tracked Since Feb 18, 2026