Synapse pagination Denial of Service

GHSA-6qf2-7x63-mm6v · CVE-2026-45076 · PYSEC-2026-194

Published May 14, 2026 · Modified Jun 9, 2026

Description

Impact

In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients.

Clients could therefore fail to display room history.

Patches

Update to Synapse 1.152.1 or later.

Workarounds

There are no known workarounds for this issue.

Identifiers

ELEMENTSEC-2025-1636

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

References

WEB https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45076
PACKAGE https://github.com/element-hq/synapse
WEB https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2026-194.yaml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes