CVE-2026-45076 element-hq CVE debrief

Who should care

Organizations operating Synapse Matrix homeservers, particularly those participating in open federation or hosting rooms with external participants. Matrix client application developers may also want to understand this issue for error handling improvements.

Technical summary

The vulnerability exists in Synapse's handling of room events in federated environments. Malicious homeservers can construct events that interfere with the server's ability to serve complete historical data during pagination operations. This is an integrity issue affecting availability of historical room data rather than confidentiality or authentication bypass. The attack requires the attacker to operate a malicious homeserver that participates in the same federated room as the target Synapse instance.

Defensive priority

medium

Recommended defensive actions

• Upgrade Synapse to version 1.152.1 or later to remediate this vulnerability
• Review federation configuration to restrict trust to known, reputable homeservers where possible
• Monitor client-side logs for pagination failures or missing room history that may indicate exploitation attempts
• Assess whether room history integrity monitoring is feasible for critical federated rooms

Evidence notes

Vulnerability description and fix version confirmed via official GitHub Security Advisory. CVSS vector and CWE classification sourced from NVD record. No known exploitation in the wild or KEV listing at time of analysis.

Official resources