Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-3x4c-pq33-4w3q

GitHub Security Advisory

Improper authorisation of members discloses room membership to non-members

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

### Impact
Unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room.

### Patches
Server administrators should upgrade to 1.41.1 or later.

### Workarounds
Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the following endpoints:
* `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter
* `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter

### References
n/a

### For more information
If you have any questions or comments about this advisory, e-mail us at [email protected].

Affected Packages

PyPI matrix-synapse
Affected versions: 0 (fixed in 1.41.1)

Related CVEs

CVE-2021-39164

Key Information

GHSA ID
GHSA-3x4c-pq33-4w3q
Published
September 1, 2021 6:25 PM
Last Modified
September 24, 2024 3:36 PM
CVSS Score
2.5 /10
Primary Ecosystem
PyPI
Primary Package
matrix-synapse
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.