VYPR
Get started

Synapse

Sign in to watch

by Element Hq

Source repositories

CVEs (3)

CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2026-45078hig0.38May 14, 2026### Impact Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. Homeservers that trust all their local users are not at risk. ### Patches Update to Synapse 1.152.1 or later. ### Workarounds If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests, preventing or increasing the difficulty of the attack. ### Identifiers - ELEMENTSEC-2026-1706 ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).
CVE-2025-61672Med0.270.00Oct 8, 2025Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
CVE-2026-450760.00May 14, 2026### Impact In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. ### Patches Update to Synapse 1.152.1 or later. ### Workarounds There are no known workarounds for this issue. ### Identifiers - ELEMENTSEC-2025-1636 ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).