VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 6, 2023· Updated Feb 13, 2025

Improper checks for deactivated users during login in synapse

CVE-2023-32682

Description

Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the jwt_config.enabled configuration setting. 2. The local password database is enabled via the password_config.enabled and password_config.localdb_enabled configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A deactivated user can log into Synapse under uncommon JWT or password-set-after-deactivation configurations.

Overview

CVE-2023-32682 affects Synapse, a Matrix homeserver. Under certain uncommon configurations, deactivated user accounts can still log in. This occurs either when JWT login is enabled (jwt_config.enabled) [1], or when the local password database is active (password_config.enabled and password_config.localdb_enabled) and an admin sets a new password for a deactivated user via the admin API [2].

Exploitation

No authentication is needed to trigger the vulnerability; an attacker simply needs to know the credentials of a deactivated account. For JWT-based login, the JWT handler did not check the account's deactivation status [3]. For password-based login, the flaw arises only if an administrator explicitly updates a user's password after deactivation. The bug was addressed in pull requests that consolidated deactivation checks [4]. Installations relying solely on SSO (CAS, SAML, OIDC) or external password providers are not affected [1][2].

Impact

An attacker who gains or knows the credentials of a deactivated user can authenticate and inherit the user's prior access to rooms and data, bypassing account deactivation intended to revoke access.

Mitigation

Users are advised to upgrade to Synapse version 1.85.0 or later, where the login checks are enforced. As a partial workaround, ensure deactivated users have no password set and avoid setting JWT tokens for such accounts.

References
  1. Configuration Manual - Synapse
  2. Users - Synapse
  3. Do not allow deactivated users to login with JWT by clokep · Pull Request #15624 · matrix-org/synapse
  4. Consolidate logic to check for deactivated users. by clokep · Pull Request #15634 · matrix-org/synapse

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
matrix-synapsePyPI
< 1.85.01.85.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.