Medium severity4.3NVD Advisory· Published Dec 3, 2024· Updated Apr 15, 2026

CVE-2024-53867

Description

Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
matrix-synapsePyPI	>= 1.113.0rc1, < 1.120.1	1.120.1

Patches

fe3d88b833f7

https://github.com/element-hq/synapsevia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-56w4-5538-8v8hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-53867ghsaADVISORY
github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8hnvdWEB
github.com/matrix-org/matrix-spec-proposals/pull/4186nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000