CVE-2026-63096
Received Received - Intake

Dendrite SSRF via Legacy Media Download Endpoint

Vulnerability report for CVE-2026-63096, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Dendrite through 0.13.8 contains a server-side request forgery vulnerability that allows unauthenticated attackers to cause the server to open outbound TLS connections to arbitrary hosts and ports by supplying an unvalidated serverName parameter to the legacy media download endpoint. Attackers can exploit distinguishable error response classes and leaked internal IP addresses in error messages to perform blind port scanning and enumerate internal network topology.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
matrix_org dendrite to 0.13.8 (inc)
matrix homeserver to 0.13.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63096 is a Server-Side Request Forgery (SSRF) vulnerability in Dendrite versions up to 0.13.8. It allows unauthenticated attackers to force the server to open outbound TLS connections to arbitrary hosts and ports by exploiting an unvalidated serverName parameter in the legacy media download endpoint. Attackers can use error responses and leaked internal IP addresses to perform blind port scanning and map internal networks.

Detection Guidance

To detect this SSRF vulnerability in Dendrite, monitor outbound TLS connections initiated by the server, especially to unexpected or internal hosts. Check logs for requests to the legacy media download endpoint with unvalidated serverName parameters. Use network scanning tools to identify unusual outbound connections from the Dendrite server.

Impact Analysis

This vulnerability enables attackers to scan internal networks, identify open ports, and map network topologies. It could lead to unauthorized access to internal systems, data exfiltration, or further attacks if internal services are exposed. Systems running vulnerable Dendrite versions are at risk of these network reconnaissance activities.

Compliance Impact

This SSRF vulnerability could potentially violate compliance with GDPR and HIPAA by enabling unauthorized network reconnaissance and data exfiltration. Attackers could map internal systems and probe services, risking exposure of personal or health data. GDPR requires protection against unauthorized access to personal data, while HIPAA mandates safeguards for protected health information. The vulnerability's ability to leak internal IP addresses and scan networks may lead to non-compliance with these standards.

Mitigation Strategies

Immediately upgrade Dendrite to a patched version if available. If no patch exists, disable the legacy media download endpoint or restrict access to it. Implement network-level controls to block unauthorized outbound TLS connections from the Dendrite server. Monitor for exploitation attempts in server logs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63096. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart