CVE-2026-63097
Received Received - Intake

Improper Access Control in Dendrite SyncAPI Context Endpoint

Vulnerability report for CVE-2026-63097, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint (syncapi/routing/context.go) that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. Attackers who have left a room can call the rooms context API endpoint for a previously permitted event and receive unfiltered current room state that the /messages and /sync endpoints correctly withhold.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
matrix_org dendrite From 0.13.0 (inc) to 0.13.8 (inc)
matrix homeserver to 0.13.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63097 is an improper access control flaw in Dendrite versions 0.13.8 and earlier. It affects the syncapi /context endpoint where a flawed membership check only verifies if a room exists (RoomExists) but ignores other critical fields like IsInRoom, HasBeenInRoom, and Membership. This allows authenticated local users who have left a room to access post-leave room state events, retrieving unfiltered current room state that should be restricted.

Detection Guidance

To detect this vulnerability, check if your Dendrite instance is running version 0.13.8 or earlier. Inspect the syncapi/routing/context.go file for improper membership checks in the /context endpoint. Monitor logs for unauthorized access attempts to post-leave room state events via the /context endpoint.

Impact Analysis

If you use Dendrite versions 0.13.8 or earlier, an attacker with local access and prior room membership could exploit this to view sensitive room state information even after leaving the room. This could expose private discussions, user details, or other confidential data that should remain restricted.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or sensitive data, violating GDPR's data protection principles or HIPAA's requirements for safeguarding protected health information. Organizations using affected Dendrite versions may face compliance violations, legal risks, and potential fines due to improper access controls.

Mitigation Strategies

Immediately upgrade Dendrite to a version later than 0.13.8. Review and correct the membership check logic in syncapi/routing/context.go to include IsInRoom, HasBeenInRoom, and Membership fields. Restrict access to the /context endpoint for users who have left rooms.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart