Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:N confirmed by unauthenticated endpoint; S:C because SSRF reaches beyond Dendrite to probe internal systems; C:L for leaked internal network topology; no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Dendrite through 0.13.8 contains a server-side request forgery vulnerability that allows unauthenticated attackers to cause the server to open outbound TLS connections to arbitrary hosts and ports by supplying an unvalidated serverName parameter to the legacy media download endpoint. Attackers can exploit distinguishable error response classes and leaked internal IP addresses in error messages to perform blind port scanning and enumerate internal network topology.
AnalysisAI
Server-side request forgery in Dendrite through 0.13.8 allows unauthenticated remote attackers to weaponize the server as a port-scanning proxy against internal networks by supplying arbitrary host and port values via the unvalidated serverName parameter on the legacy media download endpoint. The server initiates outbound TLS connections to attacker-controlled destinations, and distinguishable error response classes combined with leaked internal IP addresses in error messages expose internal network topology. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to the Dendrite instance's `/_matrix/media/r0/download` endpoint, which is typically internet-exposed on Matrix homeservers as part of federation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N, score 6.9) accurately captures that no authentication is required, complexity is low, and the primary impact is low-confidence reconnaissance on subsequent internal systems rather than direct data exfiltration or service disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP GET request to `/_matrix/media/r0/download/{serverName}/{mediaId}` on a public-facing Dendrite instance, substituting `serverName` with an internal target such as `192.168.10.5:6379` (a Redis port). The Dendrite server attempts an outbound TLS connection to that address, and the attacker distinguishes between a TCP-refused error, a timeout, and a TLS handshake response to infer whether the port is open, closed, or filtered - effectively using Dendrite as a port scanner against its internal network. … |
| Remediation | No specific patched release version has been confirmed in the available data - patch availability per vendor advisory should be independently verified against the Dendrite GitHub release page before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper authorization in Dendrite (the Go-based Matrix homeserver) through version 0.13.8 lets any authenticated local
Post-leave room state disclosure in Dendrite through 0.13.8 allows authenticated local users to retrieve unfiltered curr
gomatrixserverlib is a Go library for matrix protocol federation. Rated high severity (CVSS 8.8), this vulnerability is
Dendrite is a Matrix homeserver written in Go. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploita
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45194
GHSA-jrcq-4ccj-6fr8