CVE-2026-45078: Synapse Denial-of-Service via CPU Exhaustion (v1.152.1+)
Synapse, an open-source Matrix homeserver, contains a denial-of-service vulnerability affecting versions prior to 1.152.1. An authenticated local user can craft requests that consume excessive CPU resources, starving other legitimate requests and causing service degradation for other users. The attack requires valid credentials and local system access but does not require user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-770
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45078 is a resource exhaustion vulnerability in Synapse stemming from improper CPU allocation handling (CWE-770). Authenticated local users can trigger computationally expensive operations that monopolize CPU cycles, preventing the homeserver from servicing other requests in a timely manner. The vulnerability has a CVSS v3.1 score of 5.5 (Medium severity) with an attack vector of local, low complexity, low privileges required, no user interaction, and high availability impact.
Business impact
For organizations running Synapse as their Matrix homeserver, this vulnerability creates internal denial-of-service risk. An authenticated attacker (insider or compromised account) can disrupt service for all users on the instance, affecting real-time communication, collaboration tools, or any application relying on the Matrix federation. The impact is amplified in shared or multi-tenant deployments where a single malicious user degrades experience for many others.
Affected systems
Synapse versions prior to 1.152.1 are vulnerable. Organizations running Synapse on any platform (Linux, Docker, cloud-native deployments) are affected if they have not applied the patch. The vulnerability applies only to deployments where untrusted authenticated users have access to the homeserver.
Exploitability
Exploitability is moderate. The attack requires valid user credentials and local or network access to trigger the CPU-exhaustion condition. No complex exploitation steps, user interaction, or privilege escalation are needed—a standard authenticated user can execute the attack. The barrier to exploitation is authentication, making this primarily an insider threat or post-compromise risk in externally accessible instances.
Remediation
Upgrade Synapse to version 1.152.1 or later. Organizations unable to patch immediately should restrict matrix homeserver access to trusted users, implement network-level rate limiting on suspect accounts, and monitor CPU utilization for anomalous spikes correlated with specific users.
Patch guidance
Apply the Synapse 1.152.1 update from the official Element/Synapse release channels. Verify compatibility with your deployment architecture (bare metal, Docker, Kubernetes) before deploying to production. Test in a staging environment to confirm no federation or client compatibility regressions. Coordinate updates during maintenance windows to minimize disruption to active users.
Detection guidance
Monitor Synapse process CPU utilization in real-time; spikes sustained by a single authenticated session are suspicious. Enable debug logging of request handling to correlate high CPU periods with specific users or endpoint patterns. Track request queue depth and response latency—a spike in queued requests without corresponding traffic growth suggests resource starvation. Network intrusion detection can flag repeated requests from a single user to computationally expensive endpoints.
Why prioritize this
Although CVSS is Medium (5.5), organizations with public or multi-tenant Synapse instances should prioritize this patch because the attack surface includes all authenticated users and the impact is immediate and visible to other users. Insider-threat risk is elevated in shared environments. Conversely, isolated, single-user, or tightly-controlled instances face lower risk but should still apply the patch as part of routine maintenance.
Risk score, explained
CVSS 5.5 reflects medium severity: the attack requires local/authenticated access (low privilege), is not network-remote, and impacts availability only (no confidentiality or integrity compromise). The score is not low because the availability impact is high—the service becomes unresponsive—but it is not critical because the attack is confined to local authenticated users and does not enable code execution or data breach.
Frequently asked questions
Does this vulnerability allow remote code execution or data theft?
No. CVE-2026-45078 is strictly a denial-of-service vulnerability. It does not enable unauthorized access, data exfiltration, or code execution. The attacker can degrade service availability but cannot read encrypted messages or escalate privileges.
Can an unauthenticated attacker exploit this?
No. The vulnerability requires valid user credentials and local/network access to the homeserver. Unauthenticated users cannot trigger the CPU exhaustion.
What is the recommended timeline for patching?
Upgrade to 1.152.1 within 30 days. If your Synapse instance is internet-facing or serves many users, prioritize sooner. If it is isolated or single-user, a standard monthly patch cycle is acceptable.
Are there workarounds if we cannot patch immediately?
Partial mitigation is possible: restrict homeserver access to a whitelist of trusted users, implement request rate limits on client connections, and monitor CPU metrics for anomalies. These do not eliminate the vulnerability but reduce the likelihood of accidental or malicious triggering during the patching window.
This analysis is based on the published CVE description and CVSS vector as of 2026-06-17. Verify compatibility, dependencies, and deployment-specific impacts by consulting the official Synapse and Element security advisories. Organizations should conduct internal testing before deploying patches to production. This assessment does not constitute professional security or legal advice; consult your security team and vendor for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-44545MEDIUMDaphne WebSocket Denial of Service via Unlimited Payload Size
- CVE-2026-45023MEDIUMAutoGPT Credit Bypass in Block Execution API
- CVE-2026-45292MEDIUMOpenTelemetry Java Baggage DoS Vulnerability – Patch & Detection Guide
- CVE-2026-45352MEDIUMcpp-httplib Negative Chunk Size Denial of Service