VYPR
← All advisories
Low severityNVD Advisory· Published Sep 26, 2023· Updated Feb 13, 2025

Temporary storage of plaintext passwords during password changes in matrix synapse

CVE-2023-41335

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Synapse temporarily stores plaintext passwords in the database during password changes, which may persist in backups; fixed in version 1.93.0.

Vulnerability

Description

CVE-2023-41335 describes a vulnerability in Synapse, an open-source Matrix homeserver, where plaintext passwords are temporarily stored in the server database during password changes [2]. While the server inherently has access to passwords during authentication, this behavior contradicts user expectations that passwords are not persisted. The temporary storage lasts up to 48 hours before automatic erasure [4].

Exploitation

Exploitation requires an attacker to gain access to database backups, where these transient passwords could be retained for extended periods [2]. The vulnerability is triggered by normal user password change operations; no additional authentication or network position is needed beyond what is already required for the action. However, direct exploitation of the live database is not feasible as passwords are automatically removed within two days.

Impact

If an attacker obtains database backups, they may recover plaintext passwords for users who changed passwords within the 48-hour window prior to the backup [4]. This could lead to account compromise on the Matrix homeserver or other services where users reuse passwords. The severity is considered low due to the limited window and requirement for backup access [4].

Mitigation

This issue is fixed in Synapse version 1.93.0 [2]. Users are strongly advised to upgrade immediately. There are no known workarounds [4]. Organizations should also ensure database backups are securely stored and access is restricted to minimize risk.

References
  1. Avoid temporary storage of sensitive information. by clokep · Pull Request #16272 · matrix-org/synapse
  2. NVD - CVE-2023-41335

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
matrix-synapsePyPI
>= 1.66.0, < 1.93.01.93.0

Affected products

2

Patches

1
69b74d9330e4

Avoid temporary storage of sensitive information. (#16272)

https://github.com/matrix-org/synapsePatrick ClokeSep 8, 2023via ghsa
commit
3 files changed · +16 2
  • changelog.d/16272.bugfix+1 0 added
    @@ -0,0 +1 @@
+Avoid temporary storage of sensitive information.
  • synapse/rest/client/account.py+2 2 modified
    @@ -186,15 +186,15 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
                 params, session_id = await self.auth_handler.validate_user_via_ui_auth(
                     requester,
                     request,
-                    body.dict(exclude_unset=True),
+                    body.dict(exclude_unset=True, exclude={"new_password"}),
                     "modify your account password",
                 )
                 user_id = requester.user.to_string()
             else:
                 result, params, session_id = await self.auth_handler.check_ui_auth(
                     [[LoginType.EMAIL_IDENTITY]],
                     request,
-                    body.dict(exclude_unset=True),
+                    body.dict(exclude_unset=True, exclude={"new_password"}),
                     "modify your account password",
                 )
  • tests/rest/client/test_account.py+13 0 modified
    @@ -31,6 +31,7 @@
 from synapse.rest.client import account, login, register, room
 from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
 from synapse.server import HomeServer
+from synapse.storage._base import db_to_json
 from synapse.types import JsonDict, UserID
 from synapse.util import Clock
 
@@ -134,6 +135,18 @@ def test_basic_password_reset(self) -> None:
         # Assert we can't log in with the old password
         self.attempt_wrong_password_login("kermit", old_password)
 
+        # Check that the UI Auth information doesn't store the password in the database.
+        #
+        # Note that we don't have the UI Auth session ID, so just pull out the single
+        # row.
+        ui_auth_data = self.get_success(
+            self.store.db_pool.simple_select_one(
+                "ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
+            )
+        )
+        client_dict = db_to_json(ui_auth_data["clientdict"])
+        self.assertNotIn("new_password", client_dict)
+
     @override_config({"rc_3pid_validation": {"burst_count": 3}})
     def test_ratelimit_by_email(self) -> None:
         """Test that we ratelimit /requestToken for the same email."""

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.