Skip to main content

Dendrite EUVDEUVD-2026-45192

| CVE-2026-63095 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-17 VulnCheck GHSA-35h8-2q42-v6f5
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable endpoint needing any authenticated account (PR:L) with low complexity and no interaction; impact is integrity-only (deleting/altering others' 3PID bindings), no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 16:16 vuln.today
CVE Published
Jul 17, 2026 - 15:27 cve.org
HIGH 7.1

DescriptionCVE.org

Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint without ownership verification. Attackers can exploit the unverified Forget3PID handler to remove a victim's email or MSISDN binding and subsequently rebind the address through an identity server to hijack the victim's password reset flow.

AnalysisAI

Improper authorization in Dendrite (the Go-based Matrix homeserver) through version 0.13.8 lets any authenticated local user delete another user's third-party identifier (3PID) bindings via the POST /account/3pid/delete endpoint, because the Forget3PID handler removes the supplied address/medium without verifying ownership. By stripping a victim's email or MSISDN binding and rebinding it through an identity server, an attacker can hijack the victim's account-recovery/password-reset flow. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as any local user
Delivery
Send crafted POST /account/3pid/delete with victim address
Exploit
Forget3PID deletes binding without ownership check
Execution
Rebind address via identity server
Persist
Trigger victim password reset
Impact
Take over victim account

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated account on the target Dendrite homeserver (CVSS PR:L) - any low-privilege local user suffices, no admin rights and no victim interaction (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a credible, moderate-to-high priority integrity issue rather than a hypothetical high-CVSS finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses any ordinary account on a target Dendrite homeserver, then sends a crafted POST to the account/3pid/delete endpoint supplying a victim's known email address and medium 'email'. The server deletes the victim's binding without ownership checks; the attacker rebinds that address to their own control via an identity server and triggers the victim's password reset to take over the account. …
Remediation No vendor-released patch version is identified in the available data, so upgrade to a fixed Dendrite release once matrix-org publishes one and monitor the VulnCheck advisory (https://www.vulncheck.com/advisories/dendrite-improper-authorization-via-post-account-3pid-delete-endpoint) and the Dendrite project releases for a version above 0.13.8. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, confirm whether Dendrite is deployed in your environment and which version is running; if version 0.13.8 or earlier, assess the scope of access (is Dendrite internally deployed, or exposed to untrusted users?). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy