Skip to main content

Dendrite EUVDEUVD-2026-45194

| CVE-2026-63096 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-17 VulnCheck GHSA-jrcq-4ccj-6fr8
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.8 MEDIUM

PR:N confirmed by unauthenticated endpoint; S:C because SSRF reaches beyond Dendrite to probe internal systems; C:L for leaked internal network topology; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 16:19 vuln.today
CVE Published
Jul 17, 2026 - 15:30 cve.org
MEDIUM 6.9

DescriptionCVE.org

Dendrite through 0.13.8 contains a server-side request forgery vulnerability that allows unauthenticated attackers to cause the server to open outbound TLS connections to arbitrary hosts and ports by supplying an unvalidated serverName parameter to the legacy media download endpoint. Attackers can exploit distinguishable error response classes and leaked internal IP addresses in error messages to perform blind port scanning and enumerate internal network topology.

AnalysisAI

Server-side request forgery in Dendrite through 0.13.8 allows unauthenticated remote attackers to weaponize the server as a port-scanning proxy against internal networks by supplying arbitrary host and port values via the unvalidated serverName parameter on the legacy media download endpoint. The server initiates outbound TLS connections to attacker-controlled destinations, and distinguishable error response classes combined with leaked internal IP addresses in error messages expose internal network topology. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed Dendrite server
Delivery
Craft request to /_matrix/media/r0/download with internal host:port as serverName
Exploit
Server initiates outbound TLS dial to attacker-specified target
Execution
Observe and classify HTTP error responses per port
Persist
Correlate response classes to infer open/closed/filtered state
Impact
Map internal network topology for lateral movement planning

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the Dendrite instance's `/_matrix/media/r0/download` endpoint, which is typically internet-exposed on Matrix homeservers as part of federation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N, score 6.9) accurately captures that no authentication is required, complexity is low, and the primary impact is low-confidence reconnaissance on subsequent internal systems rather than direct data exfiltration or service disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP GET request to `/_matrix/media/r0/download/{serverName}/{mediaId}` on a public-facing Dendrite instance, substituting `serverName` with an internal target such as `192.168.10.5:6379` (a Redis port). The Dendrite server attempts an outbound TLS connection to that address, and the attacker distinguishes between a TCP-refused error, a timeout, and a TLS handshake response to infer whether the port is open, closed, or filtered - effectively using Dendrite as a port scanner against its internal network. …
Remediation No specific patched release version has been confirmed in the available data - patch availability per vendor advisory should be independently verified against the Dendrite GitHub release page before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45194 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy