PatchSiren cyber security CVE debrief
CVE-2026-45078 element-hq CVE debrief
CVE-2026-45078 is a medium-severity denial-of-service vulnerability in Synapse, the open-source Matrix homeserver implementation maintained by Element. Published on 2026-05-28, this vulnerability allows local authenticated users to trigger CPU resource exhaustion, causing other requests to fail and denying service to other users. The attack vector is local (AV:L) with low attack complexity (AC:L) and low privileges required (PR:L), requiring no user interaction (UI:N). The vulnerability results in high availability impact (VA:H) with no confidentiality or integrity impact. The root cause is classified under CWE-770: Allocation of Resources Without Limits or Throttling. This vulnerability is fixed in Synapse version 1.152.1. Organizations running Synapse homeservers should prioritize upgrading to this patched version to prevent authenticated local users from monopolizing CPU resources and disrupting service for other users.
- Vendor
- element-hq
- Product
- synapse
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations operating self-hosted Matrix homeservers using Synapse, particularly those with multiple local users or shared hosting environments where authenticated user isolation is critical. System administrators responsible for Matrix infrastructure availability and service continuity.
Technical summary
Synapse versions prior to 1.152.1 contain a denial-of-service vulnerability where local authenticated users can cause CPU resource starvation. The vulnerability stems from insufficient resource throttling (CWE-770), allowing malicious or compromised local accounts to monopolize CPU cycles and cause legitimate requests to fail. CVSS 4.0 score of 6.8 reflects the localized attack surface but significant availability impact. No confidentiality or integrity impacts are associated with this vulnerability. The fix in version 1.152.1 implements proper resource limits to prevent CPU starvation attacks.
Defensive priority
medium
Recommended defensive actions
- Upgrade Synapse to version 1.152.1 or later to remediate this vulnerability
- Review and restrict local user access to Synapse homeserver administrative functions
- Monitor CPU utilization patterns on Synapse instances for signs of resource exhaustion attacks
- Implement resource quotas and rate limiting for authenticated users where possible
- Verify backup and recovery procedures for Matrix homeserver data before applying updates
Evidence notes
Vulnerability description and CVSS 4.0 vector confirm local authenticated attack vector with high availability impact. CWE-770 classification indicates resource allocation without proper throttling. Fix version 1.152.1 confirmed in advisory.
Official resources
-
CVE-2026-45078 CVE record
CVE.org
-
CVE-2026-45078 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28