Skip to main content

Dendrite CVE-2026-63097

| EUVDEUVD-2026-45195 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-17 VulnCheck GHSA-xq7h-2f2w-f2xq
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Requires authenticated account (PR:L) over network; low confidentiality impact from room state disclosure only; no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 16:19 vuln.today
CVE Published
Jul 17, 2026 - 15:32 cve.org
MEDIUM 5.3

DescriptionCVE.org

Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint (syncapi/routing/context.go) that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. Attackers who have left a room can call the rooms context API endpoint for a previously permitted event and receive unfiltered current room state that the /messages and /sync endpoints correctly withhold.

AnalysisAI

Post-leave room state disclosure in Dendrite through 0.13.8 allows authenticated local users to retrieve unfiltered current room state from rooms they have previously exited. The syncapi /context endpoint in syncapi/routing/context.go performs an incomplete membership check - evaluating only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership - effectively treating departed users as current members for this endpoint alone. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated Dendrite account
Delivery
Join target private room
Exploit
Leave target room
Execution
Retrieve prior event ID from room
Persist
Call /context endpoint with that event ID
Impact
Receive unfiltered current post-leave room state

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated account on the target Dendrite homeserver (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) accurately reflects the attack profile: network-reachable, low complexity, no attack requirements, but constrained to authenticated users (PR:L) with limited confidentiality impact (VC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user who previously joined and departed a private Matrix room hosted on a Dendrite server calls GET /_matrix/client/v3/rooms/{roomId}/context/{eventId} using an event ID they observed before leaving. Because context.go checks only RoomExists rather than the full membership state, the server returns unfiltered current room state - including current membership lists, room topic, and other state events - that the /sync and /messages endpoints would correctly withhold. …
Remediation No vendor-released patched version is confirmed in the available reference data; administrators should monitor the matrix-org/dendrite GitHub repository for a tagged release addressing this issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-63097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy