PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-63097 matrix-org CVE debrief

CVE-2026-63097 is an improper access control vulnerability in Dendrite's syncapi /context endpoint. This issue allows authenticated local users to access post-leave room state events by exploiting a flawed membership check. The vulnerability is caused by the endpoint evaluating only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. As a result, attackers who have left a room can call the rooms context API endpoint for a previously permitted event and receive unfiltered current room state that the /messages and /sync endpoints correctly withhold.

Vendor
matrix-org
Product
dendrite
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Dendrite version 0.13.8 or earlier should be aware of this vulnerability and take necessary actions to protect their systems. This issue is particularly relevant for users who have configured their Dendrite instances to allow local user authentication and have users who frequently join and leave rooms.

Technical summary

The vulnerability is located in the syncapi /context endpoint, specifically in the syncapi/routing/context.go file. The flawed membership check fails to properly evaluate the user's membership status, allowing users who have left a room to access sensitive information. This issue has a CVSS score of 5.3 and a severity rating of MEDIUM. The vulnerability allows authenticated local users to access post-leave room state events by exploiting the flawed membership check that evaluates only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. Users of Dendrite version 0.13.8 or earlier are affected, particularly those who have configured their Dendrite instances to allow local user authentication and have users who frequently join and leave rooms.

Defensive priority

Medium priority should be given to patching this vulnerability, as it allows for unauthorized access to sensitive room state information. However, the impact is somewhat limited as it requires authenticated local users and specific conditions to be exploited.

Recommended defensive actions

  • Apply the official patch or update to a version of Dendrite that fixes this vulnerability.
  • Review and adjust the membership checks in the /context endpoint to ensure proper evaluation of user membership status.
  • Implement additional monitoring to detect and respond to potential exploitation attempts.
  • Consider compensating controls such as limiting access to the /context endpoint or implementing stricter access controls.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-17T16:17:16.783Z and was last modified on 2026-07-17T18:04:04.083Z. The NVD entry is currently Deferred. Limited information is available about the specific affected versions and configurations of Dendrite.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:16.783Z and has not been modified since then. The NVD entry is currently Deferred.