Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint needing any authenticated account (PR:L) with low complexity and no interaction; impact is integrity-only (deleting/altering others' 3PID bindings), no confidentiality or availability loss.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint without ownership verification. Attackers can exploit the unverified Forget3PID handler to remove a victim's email or MSISDN binding and subsequently rebind the address through an identity server to hijack the victim's password reset flow.
AnalysisAI
Improper authorization in Dendrite (the Go-based Matrix homeserver) through version 0.13.8 lets any authenticated local user delete another user's third-party identifier (3PID) bindings via the POST /account/3pid/delete endpoint, because the Forget3PID handler removes the supplied address/medium without verifying ownership. By stripping a victim's email or MSISDN binding and rebinding it through an identity server, an attacker can hijack the victim's account-recovery/password-reset flow. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated account on the target Dendrite homeserver (CVSS PR:L) - any low-privilege local user suffices, no admin rights and no victim interaction (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a credible, moderate-to-high priority integrity issue rather than a hypothetical high-CVSS finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses any ordinary account on a target Dendrite homeserver, then sends a crafted POST to the account/3pid/delete endpoint supplying a victim's known email address and medium 'email'. The server deletes the victim's binding without ownership checks; the attacker rebinds that address to their own control via an identity server and triggers the victim's password reset to take over the account. … |
| Remediation | No vendor-released patch version is identified in the available data, so upgrade to a fixed Dendrite release once matrix-org publishes one and monitor the VulnCheck advisory (https://www.vulncheck.com/advisories/dendrite-improper-authorization-via-post-account-3pid-delete-endpoint) and the Dendrite project releases for a version above 0.13.8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, confirm whether Dendrite is deployed in your environment and which version is running; if version 0.13.8 or earlier, assess the scope of access (is Dendrite internally deployed, or exposed to untrusted users?). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Server-side request forgery in Dendrite through 0.13.8 allows unauthenticated remote attackers to weaponize the server a
Post-leave room state disclosure in Dendrite through 0.13.8 allows authenticated local users to retrieve unfiltered curr
gomatrixserverlib is a Go library for matrix protocol federation. Rated high severity (CVSS 8.8), this vulnerability is
Dendrite is a Matrix homeserver written in Go. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploita
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45192
GHSA-35h8-2q42-v6f5