CVE-2026-45076
Analyzed Analyzed - Analysis Complete
History Loss in Synapse Matrix Homeserver

Publication date: 2026-05-28

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-04
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45076
EUVD
EUVD-2026-32934
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
element synapse to 1.152.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Synapse, an open source Matrix homeserver implementation, in versions prior to 1.152.1. In federated rooms, malicious homeservers can craft specific room events that prevent Synapse from providing the full history of the room to clients who are paginating through messages.

As a result, clients may fail to display the complete room history. This issue is classified as a moderate severity vulnerability and has been fixed in Synapse version 1.152.1.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The impact of this vulnerability is that clients using Synapse to access federated rooms may not be able to see the full history of messages in those rooms.

This can degrade the user experience by causing incomplete message histories to be displayed, potentially leading to confusion or loss of important context in conversations.

Detection Guidance

There are no specific detection commands or methods provided to identify this vulnerability on your network or system.

The vulnerability involves malicious homeservers crafting specific room events in federated rooms to disrupt Synapse's pagination of room history.

Since the issue affects Synapse versions prior to 1.152.1, checking the Synapse version in use can help detect if the system is vulnerable.

  • Check Synapse version with a command like: synctl --version or by inspecting the installed package version.
Mitigation Strategies

The primary mitigation step is to upgrade Synapse to version 1.152.1 or later, where this vulnerability has been fixed.

There are no known workarounds for this issue, so applying the patch is essential.

Contacting security at element.io for further guidance is recommended if additional assistance is needed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart