CVE-2026-45076: Synapse Federated Room History Availability Flaw
Synapse, an open-source Matrix homeserver implementation used for federated messaging, contains a flaw in how it handles room history in cross-server deployments. Malicious homeservers can craft specially formed room events that cause Synapse instances to withhold historical messages from clients requesting older conversation data. Users may see incomplete chat histories or missing messages when paginating through room archives. This is a low-severity issue because it requires a compromised or malicious federated peer and affects data availability rather than confidentiality or integrity.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 2.7 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-20
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45076 is an input validation vulnerability (CWE-20) affecting Synapse versions prior to 1.152.1. In federated Matrix rooms, untrusted homeservers can construct malformed room events that cause the affected Synapse instance to fail history pagination operations. The flaw lies in insufficient validation of event structure when processing federated room state, allowing remote actors to trigger denial-of-service conditions against history retrieval. The CVSS 3.1 vector (2.7 LOW) reflects high access requirements (PR:H) and localized availability impact without affecting confidentiality or integrity.
Business impact
Organizations running Synapse homeservers in federated environments face degraded user experience during historical message retrieval. Users may be unable to see past conversations, potentially impacting compliance scenarios where audit trails or message archives are required for regulatory purposes. However, the impact is limited to availability of archived data; live communication and forward messaging are not affected. The requirement for a malicious federated peer significantly constrains real-world attack surface.
Affected systems
Element Synapse versions prior to 1.152.1 are affected. Only deployments in federated Matrix networks are at risk; standalone homeservers without federation enabled are not impacted. The vulnerability requires an attacker to control or compromise a federated peer homeserver.
Exploitability
Exploitation requires administrative control or compromise of a federated homeserver peer and the ability to craft and inject malformed room events into shared rooms. This is not an unauthenticated remote vulnerability; the attacker must already possess federation privileges. No public exploit code is known to exist, and the low CVSS score reflects the high privilege barrier and limited scope of impact.
Remediation
Upgrade Synapse to version 1.152.1 or later. Organizations should also review federation trust relationships and implement network-level controls to limit federation to trusted homeserver instances. If immediate patching is not feasible, restricting federation scope or disabling federation temporarily can mitigate exposure.
Patch guidance
Apply Synapse 1.152.1 as soon as practical. Verify the patch version in your deployment environment and consult the Element/Synapse official release notes to confirm the fix is included. For organizations on extended support timelines, check whether backports are available for your supported release series. Test the upgrade in a staging environment before deploying to production to ensure no compatibility issues with existing room state or federation peers.
Detection guidance
Monitor Synapse logs for pagination failures or incomplete history retrieval errors, particularly in federated rooms. Implement alerts on elevated error rates for the /messages API endpoint or related history-fetch operations. Network-level detection is challenging without endpoint visibility; focus detection efforts on server-side logging and alerting for abnormal pagination behavior correlated with specific federation peers.
Why prioritize this
This vulnerability receives low priority despite federated deployment scenarios. The requirement for a malicious federated peer, combined with limited scope (availability only), and the straightforward patch path justify deferral past high-impact issues. Prioritize patching if your organization maintains strict audit trail requirements or operates in regulated industries where historical message availability is compliance-critical.
Risk score, explained
The CVSS 3.1 score of 2.7 (LOW) reflects: network-accessible attack vector (AV:N), but high privilege requirement (PR:H) limiting real-world exploitability; low complexity (AC:L) of crafting malicious events; no impact to confidentiality (C:N) or integrity (I:N); and minimal availability impact (A:L) scoped to historical data retrieval rather than service disruption. The score appropriately penalizes an attack requiring federated peer compromise.
Frequently asked questions
Does this affect my Synapse instance if I don't use federation?
No. Standalone Synapse deployments not configured for federation are not affected by this vulnerability. Only homeservers that participate in federated Matrix networks and receive room events from untrusted or compromised peers face risk.
Will this vulnerability cause data loss?
No. The vulnerability does not delete or corrupt room history. It only prevents clients from retrieving historical messages through pagination. The data remains stored on the server and can be accessed after upgrading to 1.152.1.
Can a malicious homeserver exploit this against my users if I don't control that peer?
Yes, if your Synapse instance is federated with a malicious or compromised homeserver, that peer can craft events to disrupt history retrieval in shared rooms. However, they cannot access private rooms or break forward messaging. This underscores the importance of federation peer trust policies.
Is there a workaround if I cannot patch immediately?
Temporarily disabling federation or restricting federation to a whitelist of trusted peers reduces exposure. However, the definitive fix is upgrading to 1.152.1. Verify availability of patches for your Synapse release series from the Element project.
This analysis is based on the published CVE record and vendor advisory as of the modification date. Exploit details and real-world attack prevalence may evolve. Organizations should verify patch availability and compatibility against their Synapse deployment version before applying updates. SEC.co recommends consulting the official Element Synapse security advisory and release notes for definitive guidance. No guarantee is provided regarding the completeness or timeliness of this assessment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-30963LOWCapsule Namespace Hijacking via Subresource Webhook Bypass
- CVE-2026-44367LOWKlaw Username Case Sensitivity DoS and Account Lockout
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability