Medium severity6.9GHSA Advisory· Published May 14, 2026· Updated May 14, 2026

Synapse pagination Denial of Service

CVE-2026-45076

Description

Impact

In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients.

Clients could therefore fail to display room history.

Patches

Update to Synapse 1.152.1 or later.

Workarounds

There are no known workarounds for this issue.

Identifiers

ELEMENTSEC-2025-1636

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Affected products

Element Hq/SynapseGHSA
Range: < 1.152.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-6qf2-7x63-mm6vghsaADVISORY
github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6vghsa

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000