CVE-2026-63095
Received Received - Intake

Improper Authorization in Dendrite Leading to Third-Party Identifier Removal

Vulnerability report for CVE-2026-63095, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint without ownership verification. Attackers can exploit the unverified Forget3PID handler to remove a victim's email or MSISDN binding and subsequently rebind the address through an identity server to hijack the victim's password reset flow.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
matrix client_server_api From 0.13.8 (inc)
matrix homeserver to 0.13.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63095 is an improper authorization flaw in Dendrite through version 0.13.8. It allows any authenticated local user to delete third-party identifier bindings (emails or phone numbers) of other users via the Matrix Client-Server API without ownership verification. Attackers exploit this to remove a victim's email or MSISDN binding, then rebind it through an identity server to hijack the victim's password reset flow.

Detection Guidance

To detect this vulnerability, check if your Dendrite version is 0.13.8 or earlier. Use commands like 'curl -X POST http://your-server/_matrix/client/v3/account/3pid/delete -H "Authorization: Bearer YOUR_TOKEN" -d '{"address":"[email protected]","medium":"email"}'' to test if unauthorized deletions are possible. Monitor logs for failed password reset attempts or unexpected third-party identifier removals.

For the SSRF vulnerability, test the media download endpoint with 'curl http://your-server/_matrix/media/v3/download/attacker.com/123' to see if internal network probing is possible. Check if the /context endpoint leaks room state to non-members.

Impact Analysis

This vulnerability can lead to account takeover if an attacker deletes your email or phone number binding and then rebinds it to their account to intercept password reset requests. It may also allow unauthorized access to room state information and enable internal network scanning through SSRF.

Compliance Impact

This vulnerability could lead to unauthorized access to personal data, which may violate GDPR's data protection principles and HIPAA's safeguards for protected health information. Specifically, the improper authorization flaw allows attackers to delete third-party identifiers, potentially disrupting password resets and enabling account hijacking, compromising data integrity and access controls.

Mitigation Strategies

Immediately upgrade Dendrite to a patched version beyond 0.13.8. If upgrading is not possible, disable the vulnerable endpoints (/account/3pid/delete, /_matrix/media/{r0,v1,v3}/download/{serverName}/{mediaId}, and /context) or restrict access to trusted users only.

Review and revoke any recently deleted third-party identifiers. Implement strict input validation and ownership verification for all account management endpoints. Monitor for suspicious activity in password reset flows.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart