A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request.

This can lead to a denial of service in which future events will not be correctly sent to other servers over federation.

This affects any server which accepts federation requests from untrusted servers.

### Patches

Issue is resolved by https://github.com/matrix-org/synapse/pull/8776.

### Workarounds

Homeserver administrators could limit access to the federation API to trusted servers (for example via `federation_domain_whitelist`).

Affected Packages

PyPI matrix-synapse

Affected versions: 0 (fixed in 1.23.1)

Related CVEs

CVE-2020-26257

Key Information

GHSA ID

GHSA-hxmp-pqch-c8mm

Published

December 9, 2020 6:21 PM

Last Modified

September 24, 2024 5:44 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

matrix-synapse

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.