Synapse does not apply enough checks to servers requesting auth events of events in a room
Description
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Synapse before 1.69.0 improperly grants authorization event access via Federation API, allowing unauthorized remote servers to access room authorization data.
Vulnerability
Description
In Synapse versions up to and including 1.68.0, the Matrix Federation API endpoint for querying authorization events in a room fails to properly verify that the requesting homeserver is authorized to access those events. This allows a remote homeserver to request authorization events for rooms it is not part of, potentially leaking sensitive information about room membership and permissions [1][2].
Exploitation
The vulnerability is exploitable over the Matrix federation protocol, which is typically open to the internet to allow server-to-server communication. No authentication or special privileges are required beyond being a remote homeserver that can send federation requests. The attacker simply sends a request for authorization events for a target room, and the vulnerable server responds without performing adequate access control checks [1][4].
Impact
Successful exploitation leads to unauthorized disclosure of authorization events for any room on the vulnerable homeserver. This includes state events that define room membership, permissions, and other sensitive configuration data. Such information could be used to gain insights into room structure and potentially exploit further vulnerabilities [2][4].
Mitigation
The issue has been patched in Synapse version 1.69.0. Administrators are strongly advised to upgrade to this version or later. No workarounds are currently available, and the vulnerability is fixed by enforcing proper authorization checks on federation API queries [1][2].
- Faster Remote Room Joins: tell remote homeservers that we are unable to authorise them if they query a room which has partial state on our server. by reivilibre · Pull Request #13823 · matrix-org/synapse
- NVD - CVE-2022-39335
- advisory-database/vulns/matrix-synapse/PYSEC-2023-65.yaml at main · pypa/advisory-database
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-synapsePyPI | < 1.69.0 | 1.69.0 |
Affected products
2- matrix-org/synapsev5Range: < 1.69.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-45cj-f97f-ggwvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39335ghsaADVISORY
- github.com/matrix-org/synapse/issues/13288ghsax_refsource_MISCWEB
- github.com/matrix-org/synapse/pull/13823ghsax_refsource_MISCWEB
- github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwvghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVSghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS/mitre
News mentions
0No linked articles in our index yet.