Synapse allows a a malformed invite to break the invitee's `/sync`
Description
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Synapse before 1.120.1 fails to validate federation invites, allowing a malicious server to break a user's /sync functionality.
Vulnerability
Description Synapse, an open-source Matrix homeserver, versions prior to 1.120.1 do not properly validate invites received over federation [1]. This flaw enables a malicious server to send a specially crafted invite that disrupts the invited user's /sync endpoint, preventing the user from synchronizing their Matrix state.
Exploitation
An attacker must control a federated Matrix server and send a crafted invite to a target user on another server. No authentication is required beyond the ability to federate, and the attack does not require user interaction—the invite alone triggers the disruption. The attack surface is the federation API, typically exposed to the internet.
Impact
Successful exploitation causes the invited user's /sync to malfunction, effectively breaking the client's ability to receive new messages or room updates. This can lead to denial of service for the affected user, preventing them from using Matrix normally until the malformed invite is removed or the server is upgraded [3].
Mitigation
Synapse 1.120.1 rejects such invalid invites received over federation, restoring sync functionality for affected users [3]. Server administrators are advised to upgrade to this version or later. As a workaround, administrators can disable federation from untrusted servers, though this may limit interoperability [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-synapsePyPI | < 1.120.1 | 1.120.1 |
Affected products
3- Range: < 1.120.1
- element-hq/synapsev5Range: < 1.120.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f3r3-h2mq-hx2hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52815ghsaADVISORY
- github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.