CVE-2026-45078
Analyzed Analyzed - Analysis Complete
Synapse Denial of Service via CPU Starvation

Publication date: 2026-05-28

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-03
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45078
EUVD
EUVD-2026-32935
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
element synapse to 1.152.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45078 is a vulnerability in Synapse, an open source Matrix homeserver implementation. Prior to version 1.152.1, local authenticated users can exploit this issue to consume excessive CPU resources.

This excessive CPU consumption starves other requests of processing time, causing those requests to fail and resulting in denial of service for other users.

The vulnerability has been fixed in Synapse version 1.152.1.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to denial of service on a Synapse homeserver by allowing local authenticated users to consume excessive CPU resources.

As a result, other users' requests may fail because the server is starved of CPU, causing service disruption.

Homeservers that trust all local users are not at risk, but those that do not may be vulnerable.

A workaround is to deploy Synapse behind a reverse proxy configured to limit request rates, mitigating the attack until the patch is applied.

Detection Guidance

This vulnerability involves local authenticated users causing Synapse to consume excessive CPU resources, leading to denial of service for other users.

Detection can focus on monitoring CPU usage patterns on the Synapse server, especially looking for unusually high CPU consumption by local user requests.

While no specific commands are provided, general commands to monitor CPU usage and processes on the server include:

  • Using top or htop to observe CPU usage in real time.
  • Using ps aux --sort=-%cpu to list processes consuming the most CPU.
  • Checking Synapse logs for unusual request patterns or errors indicating request starvation.
Mitigation Strategies

The vulnerability is fixed in Synapse version 1.152.1. The primary mitigation step is to upgrade Synapse to version 1.152.1 or later.

As an immediate workaround, if Synapse is deployed behind a reverse proxy, configure the proxy to limit request rates to mitigate the attack.

Additionally, consider restricting or monitoring local authenticated user access if possible, since the vulnerability requires local authenticated users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart