PyPI: matrix-synapse
CVE-2026-45076
Safety vulnerability ID: SFTY-20260514-30731
Safety legacy ID: pyup.io-97491
Affected versions of the matrix-synapse package are vulnerable to Improper Input Validation due to insufficient validation of federation event data used during room history pagination. The pagination handler fails to validate that room events received from remote homeservers conform to expected structural constraints, allowing maliciously crafted events to corrupt the pagination state.
Overview
Synapse pagination Denial of Service
Advisory
Affected versions of the matrix-synapse package are vulnerable to Improper Input Validation due to insufficient validation of federation event data used during room history pagination. The pagination handler fails to validate that room events received from remote homeservers conform to expected structural constraints, allowing maliciously crafted events to corrupt the pagination state.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260514-30731/CVE-2026-45076
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45076
- https://github.com/advisories/GHSA-6qf2-7x63-mm6v
- https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v
- https://nvd.nist.gov/vuln/detail/CVE-2026-45076
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2026-194.yaml
- https://github.com/advisories/GHSA-6qf2-7x63-mm6v
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more