PYSEC-2026-1611

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2026-1611.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1611
Aliases
Published
2026-07-07T14:34:46.390890Z
Modified
2026-07-07T17:47:03.469944876Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Synapse allows a a malformed invite to break the invitee's `/sync`
Details

Impact

Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality.

Patches

Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.

Workarounds

Server administrators can disable federation from untrusted servers.

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

References

Affected packages

PyPI / matrix-synapse

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.120.1

Affected versions

0.*
0.33.5
0.33.5.1
0.33.6rc1
0.33.6
0.33.7rc1
0.33.7rc2
0.33.7
0.33.8rc2
0.33.8
0.33.9
0.34.0rc1
0.34.0rc2
0.34.0
0.34.0.1
0.34.1.1
0.99.0rc1
0.99.0rc2
0.99.0rc3
0.99.0rc4
0.99.0
0.99.1rc1
0.99.1rc2
0.99.1
0.99.1.1
0.99.2rc1
0.99.2
0.99.3rc1
0.99.3
0.99.3.1
0.99.3.2
0.99.4rc1
0.99.4
0.99.5rc1
0.99.5
0.99.5.1
0.99.5.2
1.*
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1
1.3.0rc1
1.3.0
1.3.1
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1rc1
1.4.1
1.5.0rc1
1.5.0rc2
1.5.0
1.5.1
1.6.0rc1
1.6.0rc2
1.6.0
1.6.1
1.7.0rc1
1.7.0rc2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0rc1
1.8.0
1.9.0.dev1
1.9.0.dev2
1.9.0rc1
1.9.0
1.9.1
1.10.0rc1
1.10.0rc2
1.10.0rc3
1.10.0rc5
1.10.0
1.10.1
1.11.0rc1
1.11.0
1.11.1
1.12.0rc1
1.12.0
1.12.1rc1
1.12.1
1.12.2
1.12.3
1.12.4rc1
1.12.4
1.13.0rc1
1.13.0rc2
1.13.0rc3
1.13.0
1.14.0rc1
1.14.0rc2
1.14.0
1.15.0rc1
1.15.0
1.15.1
1.15.2
1.16.0rc1
1.16.0rc2
1.16.0
1.16.1
1.17.0rc1
1.17.0
1.18.0rc1
1.18.0rc2
1.18.0
1.19.0rc1
1.19.0
1.19.1rc1
1.19.1
1.19.2
1.19.3
1.20.0rc1
1.20.0rc2
1.20.0rc3
1.20.0rc4
1.20.0rc5
1.20.0
1.20.1
1.21.0rc1
1.21.0rc2
1.21.0rc3
1.21.0
1.21.1
1.21.2
1.22.0rc1
1.22.0rc2
1.22.0
1.22.1
1.23.0rc1
1.23.0
1.23.1
1.24.0rc1
1.24.0rc2
1.24.0
1.25.0rc1
1.25.0
1.26.0rc1
1.26.0rc2
1.26.0
1.27.0rc1
1.27.0rc2
1.27.0
1.28.0rc1
1.28.0
1.29.0rc1
1.29.0
1.30.0rc1
1.30.0
1.30.1
1.31.0rc1
1.31.0
1.32.0rc1
1.32.0
1.32.1
1.32.2
1.33.0rc1
1.33.0rc2
1.33.0
1.33.1
1.33.2
1.34.0rc1
1.34.0
1.35.0rc1
1.35.0rc2
1.35.0rc3
1.35.0
1.35.1
1.36.0rc1
1.36.0rc2
1.36.0
1.37.0rc1
1.37.0
1.37.1rc1
1.37.1
1.38.0rc1
1.38.0rc2
1.38.0rc3
1.38.0
1.38.1
1.39.0rc1
1.39.0rc2
1.39.0rc3
1.39.0
1.40.0rc1
1.40.0rc2
1.40.0rc3
1.40.0
1.41.0rc1
1.41.0
1.41.1
1.42.0rc1
1.42.0rc2
1.42.0
1.43.0rc1
1.43.0rc2
1.43.0
1.44.0rc1
1.44.0rc2
1.44.0rc3
1.44.0
1.45.0rc1
1.45.0rc2
1.45.0
1.45.1
1.46.0rc1
1.46.0
1.47.0rc1
1.47.0rc2
1.47.0rc3
1.47.0
1.47.1
1.48.0rc1
1.48.0
1.49.0rc1
1.49.0
1.49.2
1.50.0rc1
1.50.0rc2
1.50.0
1.50.1
1.50.2
1.51.0rc1
1.51.0rc2
1.51.0
1.52.0rc1
1.52.0
1.53.0rc1
1.53.0
1.54.0rc1
1.54.0
1.55.0rc1
1.55.0
1.55.1
1.55.2
1.56.0rc1
1.56.0
1.57.0rc1
1.57.0
1.57.1
1.58.0rc2
1.58.0
1.58.1
1.59.0rc1
1.59.0rc2
1.59.0
1.59.1
1.60.0rc1
1.60.0rc2
1.60.0
1.61.0rc1
1.61.0
1.61.1
1.62.0rc1
1.62.0rc2
1.62.0rc3
1.62.0
1.63.0rc1
1.63.0
1.63.1
1.64.0rc1
1.64.0rc2
1.64.0
1.65.0rc1
1.65.0rc2
1.65.0
1.66.0rc1
1.66.0rc2
1.66.0
1.67.0rc1
1.67.0
1.68.0rc1
1.68.0rc2
1.68.0
1.69.0rc1
1.69.0rc2
1.69.0rc4
1.69.0
1.70.0rc1
1.70.0rc2
1.70.0
1.70.1
1.71.0rc1
1.71.0rc2
1.71.0
1.72.0rc1
1.72.0
1.73.0rc2
1.73.0
1.74.0rc1
1.74.0
1.75.0rc1
1.75.0rc2
1.75.0
1.76.0rc1
1.76.0rc2
1.76.0
1.77.0rc1
1.77.0rc2
1.77.0
1.78.0rc1
1.78.0
1.79.0rc1
1.79.0rc2
1.79.0
1.80.0rc1
1.80.0rc2
1.80.0
1.81.0rc1
1.81.0rc2
1.81.0
1.82.0rc1
1.82.0
1.83.0rc1
1.83.0
1.84.0rc1
1.84.0
1.84.1
1.85.0rc1
1.85.0rc2
1.85.0
1.85.1
1.85.2
1.86.0rc2
1.86.0
1.87.0rc1
1.87.0
1.88.0rc1
1.88.0
1.89.0rc1
1.89.0
1.90.0rc1
1.90.0
1.91.0rc1
1.91.0
1.91.1
1.91.2
1.92.0rc1
1.92.1
1.92.2
1.92.3
1.93.0rc1
1.93.0
1.94.0rc1
1.94.0
1.95.0rc1
1.95.0
1.95.1
1.96.0rc1
1.96.1
1.97.0rc1
1.97.0
1.98.0rc1
1.98.0
1.99.0rc1
1.99.0
1.100.0rc2
1.100.0rc3
1.100.0
1.101.0rc1
1.101.0
1.102.0rc1
1.102.0
1.103.0rc1
1.103.0
1.104.0rc1
1.104.0
1.105.0rc1
1.105.0
1.105.1
1.106.0rc1
1.106.0
1.107.0rc1
1.107.0
1.108.0rc1
1.108.0
1.109.0rc1
1.109.0rc2
1.109.0rc3
1.109.0
1.110.0rc2
1.110.0rc3
1.110.0
1.111.0rc1
1.111.0rc2
1.111.0
1.111.1
1.112.0rc1
1.112.0
1.113.0rc1
1.113.0
1.114.0rc1
1.114.0rc3
1.114.0
1.115.0rc1
1.115.0rc2
1.115.0
1.116.0rc1
1.116.0rc2
1.116.0
1.117.0rc1
1.117.0
1.118.0rc1
1.118.0
1.119.0rc2
1.119.0
1.120.0rc1
1.120.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2026-1611.yaml"