Skip to main content

Matrix Synapse EUVDEUVD-2026-32934

| CVE-2026-45076 MEDIUM
Improper Input Validation (CWE-20)
2026-05-14 https://github.com/element-hq/synapse GHSA-6qf2-7x63-mm6v
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 17:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 17:04 vuln.today
Analysis Generated
May 14, 2026 - 17:04 vuln.today
CVE Published
May 14, 2026 - 16:18 nvd
MEDIUM

DescriptionGitHub Advisory

Impact

In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients.

Clients could therefore fail to display room history.

Patches

Update to Synapse 1.152.1 or later.

Workarounds

There are no known workarounds for this issue.

Identifiers

  • ELEMENTSEC-2025-1636

For more information

If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).

AnalysisAI

Malicious homeservers in federated Matrix rooms can craft room events that prevent Synapse from delivering complete message history to paginating clients, causing clients to fail displaying room history. This affects Synapse versions prior to 1.152.1 and represents an information disclosure vulnerability where room history may be withheld from legitimate users due to adversarial event construction by a remote federated homeserver.

Technical ContextAI

Synapse is the reference implementation of the Matrix protocol, an open standard for decentralized, interoperable real-time communication. The vulnerability exploits improper validation of room events (CWE-20: Improper Input Validation) in the context of federated architecture, where homeservers communicate across trust boundaries to maintain shared room state. When clients request room history pagination via the Matrix client-server API, Synapse aggregates events from its database and federated sources. Malicious homeservers can craft events with specific properties that cause Synapse's pagination logic to fail, preventing it from returning the complete history slice requested by the client. This is not a traditional denial-of-service against availability, but rather a targeted information disclosure where legitimate historical messages become inaccessible through normal pagination flow.

RemediationAI

Upgrade Matrix Synapse to version 1.152.1 or later immediately. Follow Element's official upgrade guidance at https://github.com/element-hq/synapse to perform the update, which typically involves backing up the database, installing the patched package (pip install matrix-synapse>=1.152.1), and restarting the Synapse service. No workarounds exist; patching is the sole remediation. Organizations unable to patch immediately should consider restricting federated room access or disabling federation temporarily if operationally feasible, though these are crude mitigations that impact user experience and should not substitute for prompt patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-32934 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy