Temporal addresses multiple CVEs across Go crypto, networking, and runtime layers. Builders running production workflows need to evaluate upgrade urgency based on threat exposure.
Eliminate cryptographic and network-layer vulnerabilities that could silently degrade mTLS security in your workflow infrastructure.
Signal analysis
Here at industry sources, we tracked the Temporal v1.28.3 release and identified a pattern worth your attention: this isn't a routine maintenance bump. The patch addresses CVEs across four critical layers - golang.org/x/crypto, golang.org/x/net, the Go runtime itself, and Elasticsearch. This layered vulnerability exposure suggests potential attack vectors in cryptographic operations, network communication, and state management.
The golang.org/x/crypto jump from v0.37.0 to v0.45.0 is significant because it fixes vulnerabilities in crypto/tls and crypto/x509 - the exact mechanisms Temporal uses for securing inter-component communication and certificate validation. If your workflows exchange sensitive data between workers, servers, or external services, these fixes directly impact your threat surface.
The Go runtime upgrade from 1.24.5 to 1.24.13 signals runtime-level security fixes that Go itself identified as critical. Elasticsearch moving to 8.5.0 addresses its own CVE stack, particularly relevant if you use Temporal Cloud or self-hosted instances with persistent storage.
The decision to upgrade hinges on three questions: Are you running Temporal in a zero-trust network? Does your workflow involve certificate-based mTLS authentication? Are you exposed to untrusted client connections? If you answered yes to any, this patch moves from recommended to urgent.
Crypto/tls vulnerabilities are particularly dangerous because they often don't fail loudly - they degrade security posture silently. A weakness in certificate validation could allow man-in-the-middle attacks on workflow execution calls or activity worker connections. The x509 fixes specifically address certificate parsing, which is foundational to Temporal's security model.
For self-hosted operators, the Elasticsearch upgrade is non-negotiable if you've exposed ES to external networks or if your compliance requirements mandate patching within specific timeframes. Cloud operators should verify Temporal's internal deployment schedule - they may have already patched their shared infrastructure.
This is a patch release (v1.28.3), which means it's designed to be a drop-in replacement for v1.28.x deployments. No schema migrations, no API changes, no feature compatibility concerns. However, operators should still treat this as a staged rollout, not a blanket deployment.
Start by testing in a non-production environment that mirrors your production network topology - particularly if you rely on mTLS or certificate pinning. Run your integration test suite against the patched version. Watch for TLS handshake timing changes (unlikely but possible with crypto updates). Validate that external service connections still establish properly.
For containerized deployments, rebuild your Temporal server images with the patched Go runtime and dependencies. If you use Helm charts or Docker Compose, update your base images first. Tag versions carefully - treat v1.28.3 as a distinct artifact, not a replacement for v1.28.2. This lets you roll back cleanly if needed. The momentum in this space continues to accelerate.
Best use cases
Open the scenarios below to see where this shift creates the clearest practical advantage.
One concise email with the releases, workflow changes, and AI dev moves worth paying attention to.
More updates in the same lane.
Mastercard's Agent Pay allows AI agents to perform transactions autonomously, necessitating a shift in payment systems for builders.
Mistral Forge allows organizations to convert proprietary knowledge into custom AI models, enhancing enterprise capabilities.
Version 8.1 of the MongoDB Entity Framework Core Provider brings essential updates. This article analyzes the implications for builders.
