Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires authenticated account (PR:L) over network; low confidentiality impact from room state disclosure only; no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint (syncapi/routing/context.go) that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. Attackers who have left a room can call the rooms context API endpoint for a previously permitted event and receive unfiltered current room state that the /messages and /sync endpoints correctly withhold.
AnalysisAI
Post-leave room state disclosure in Dendrite through 0.13.8 allows authenticated local users to retrieve unfiltered current room state from rooms they have previously exited. The syncapi /context endpoint in syncapi/routing/context.go performs an incomplete membership check - evaluating only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership - effectively treating departed users as current members for this endpoint alone. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated account on the target Dendrite homeserver (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) accurately reflects the attack profile: network-reachable, low complexity, no attack requirements, but constrained to authenticated users (PR:L) with limited confidentiality impact (VC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user who previously joined and departed a private Matrix room hosted on a Dendrite server calls GET /_matrix/client/v3/rooms/{roomId}/context/{eventId} using an event ID they observed before leaving. Because context.go checks only RoomExists rather than the full membership state, the server returns unfiltered current room state - including current membership lists, room topic, and other state events - that the /sync and /messages endpoints would correctly withhold. … |
| Remediation | No vendor-released patched version is confirmed in the available reference data; administrators should monitor the matrix-org/dendrite GitHub repository for a tagged release addressing this issue. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper authorization in Dendrite (the Go-based Matrix homeserver) through version 0.13.8 lets any authenticated local
Server-side request forgery in Dendrite through 0.13.8 allows unauthenticated remote attackers to weaponize the server a
gomatrixserverlib is a Go library for matrix protocol federation. Rated high severity (CVSS 8.8), this vulnerability is
Dendrite is a Matrix homeserver written in Go. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploita
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45195
GHSA-xq7h-2f2w-f2xq