CVE-2025-8396

Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation. This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted.

Published: Sep 15, 2025
Updated: Sep 16, 2025
CVE: CVE-2025-8396
GHSA: GHSA-p768-c3pr-6459
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
go.temporal.io/server	-	1.26.3
go.temporal.io/server	1.27.0-126.0	1.27.3
go.temporal.io/server	1.28.0-129.0	1.28.1

https://github.com/temporalio/temporal/releases/tag/v1.26.3
https://github.com/temporalio/temporal/releases/tag/v1.27.3
https://github.com/temporalio/temporal/releases/tag/v1.28.1

Vulnerability Database

CVE-2025-8396

Deep Security Visibility Without the Complexity