PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-63095 matrix-org CVE debrief

CVE-2026-63095 is an improper authorization vulnerability in Dendrite through 0.13.8. The issue allows any authenticated local user to delete third-party identifier bindings belonging to other users. This is possible through the account deletion endpoint without ownership verification. Exploiting the unverified Forget3PID handler enables an attacker to remove a victim's email or MSISDN binding. Subsequently, the attacker can rebind the address through an identity server to hijack the victim's password reset flow.

Vendor
matrix-org
Product
dendrite
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Dendrite version 0.13.8 or earlier should be aware of this vulnerability. Specifically, administrators of Dendrite installations and users with authenticated local access are at risk. Security teams monitoring for potential exploitation of this issue should prioritize patching or mitigating the vulnerability.

Technical summary

The vulnerability exists in the Matrix Client-Server API of Dendrite through 0.13.8. An attacker can submit an arbitrary address and medium to the account deletion endpoint, allowing them to delete identifier bindings of other users without verification. This can lead to unauthorized removal of email or MSISDN bindings, which can then be rebound to hijack password reset flows. Affected product deployments should be identified in managed environments, and owners should be assigned for follow-up. The issue allows any authenticated local user to delete third-party identifier bindings belonging to other users. Exploiting the unverified Forget3PID handler enables an attacker to remove a victim's email or MSISDN binding and subsequently rebind the address through an identity server to hijack the victim's password reset flow.

Defensive priority

High

Recommended defensive actions

  • Patch Dendrite installations to a version beyond 0.13.8
  • Implement additional authentication checks for the account deletion endpoint
  • Monitor for and restrict exploitation attempts on the Forget3PID handler
  • Review and update access controls for Matrix Client-Server API endpoints
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-17T16:17:16.467Z and was last modified on 2026-07-17T18:04:04.083Z. The NVD entry is currently Deferred. Limited details are available about the specific affected configurations and vendor response.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:16.467Z and has not been modified since then. The NVD entry is currently Deferred.