PYSEC-2026-1612

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2026-1612.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1612
Aliases
Published
2026-07-07T16:03:07.105115Z
Modified
2026-07-07T17:46:57.337789820Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Synapse's invalid device keys degrade federation functionality
Details

Impact

Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers.

Patches

Patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2.

Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, it is recommend to skip these releases and upgrading straight to 1.138.4 and 1.139.2.

Workarounds

The vulnerability can only be exploited by users registered on the victim homeserver.

References

Affected packages

PyPI / matrix-synapse

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.138.3
Introduced
1.139.0rc2
Fixed
1.139.1

Affected versions

0.*
0.33.5
0.33.5.1
0.33.6rc1
0.33.6
0.33.7rc1
0.33.7rc2
0.33.7
0.33.8rc2
0.33.8
0.33.9
0.34.0rc1
0.34.0rc2
0.34.0
0.34.0.1
0.34.1.1
0.99.0rc1
0.99.0rc2
0.99.0rc3
0.99.0rc4
0.99.0
0.99.1rc1
0.99.1rc2
0.99.1
0.99.1.1
0.99.2rc1
0.99.2
0.99.3rc1
0.99.3
0.99.3.1
0.99.3.2
0.99.4rc1
0.99.4
0.99.5rc1
0.99.5
0.99.5.1
0.99.5.2
1.*
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1
1.3.0rc1
1.3.0
1.3.1
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1rc1
1.4.1
1.5.0rc1
1.5.0rc2
1.5.0
1.5.1
1.6.0rc1
1.6.0rc2
1.6.0
1.6.1
1.7.0rc1
1.7.0rc2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0rc1
1.8.0
1.9.0.dev1
1.9.0.dev2
1.9.0rc1
1.9.0
1.9.1
1.10.0rc1
1.10.0rc2
1.10.0rc3
1.10.0rc5
1.10.0
1.10.1
1.11.0rc1
1.11.0
1.11.1
1.12.0rc1
1.12.0
1.12.1rc1
1.12.1
1.12.2
1.12.3
1.12.4rc1
1.12.4
1.13.0rc1
1.13.0rc2
1.13.0rc3
1.13.0
1.14.0rc1
1.14.0rc2
1.14.0
1.15.0rc1
1.15.0
1.15.1
1.15.2
1.16.0rc1
1.16.0rc2
1.16.0
1.16.1
1.17.0rc1
1.17.0
1.18.0rc1
1.18.0rc2
1.18.0
1.19.0rc1
1.19.0
1.19.1rc1
1.19.1
1.19.2
1.19.3
1.20.0rc1
1.20.0rc2
1.20.0rc3
1.20.0rc4
1.20.0rc5
1.20.0
1.20.1
1.21.0rc1
1.21.0rc2
1.21.0rc3
1.21.0
1.21.1
1.21.2
1.22.0rc1
1.22.0rc2
1.22.0
1.22.1
1.23.0rc1
1.23.0
1.23.1
1.24.0rc1
1.24.0rc2
1.24.0
1.25.0rc1
1.25.0
1.26.0rc1
1.26.0rc2
1.26.0
1.27.0rc1
1.27.0rc2
1.27.0
1.28.0rc1
1.28.0
1.29.0rc1
1.29.0
1.30.0rc1
1.30.0
1.30.1
1.31.0rc1
1.31.0
1.32.0rc1
1.32.0
1.32.1
1.32.2
1.33.0rc1
1.33.0rc2
1.33.0
1.33.1
1.33.2
1.34.0rc1
1.34.0
1.35.0rc1
1.35.0rc2
1.35.0rc3
1.35.0
1.35.1
1.36.0rc1
1.36.0rc2
1.36.0
1.37.0rc1
1.37.0
1.37.1rc1
1.37.1
1.38.0rc1
1.38.0rc2
1.38.0rc3
1.38.0
1.38.1
1.39.0rc1
1.39.0rc2
1.39.0rc3
1.39.0
1.40.0rc1
1.40.0rc2
1.40.0rc3
1.40.0
1.41.0rc1
1.41.0
1.41.1
1.42.0rc1
1.42.0rc2
1.42.0
1.43.0rc1
1.43.0rc2
1.43.0
1.44.0rc1
1.44.0rc2
1.44.0rc3
1.44.0
1.45.0rc1
1.45.0rc2
1.45.0
1.45.1
1.46.0rc1
1.46.0
1.47.0rc1
1.47.0rc2
1.47.0rc3
1.47.0
1.47.1
1.48.0rc1
1.48.0
1.49.0rc1
1.49.0
1.49.2
1.50.0rc1
1.50.0rc2
1.50.0
1.50.1
1.50.2
1.51.0rc1
1.51.0rc2
1.51.0
1.52.0rc1
1.52.0
1.53.0rc1
1.53.0
1.54.0rc1
1.54.0
1.55.0rc1
1.55.0
1.55.1
1.55.2
1.56.0rc1
1.56.0
1.57.0rc1
1.57.0
1.57.1
1.58.0rc2
1.58.0
1.58.1
1.59.0rc1
1.59.0rc2
1.59.0
1.59.1
1.60.0rc1
1.60.0rc2
1.60.0
1.61.0rc1
1.61.0
1.61.1
1.62.0rc1
1.62.0rc2
1.62.0rc3
1.62.0
1.63.0rc1
1.63.0
1.63.1
1.64.0rc1
1.64.0rc2
1.64.0
1.65.0rc1
1.65.0rc2
1.65.0
1.66.0rc1
1.66.0rc2
1.66.0
1.67.0rc1
1.67.0
1.68.0rc1
1.68.0rc2
1.68.0
1.69.0rc1
1.69.0rc2
1.69.0rc4
1.69.0
1.70.0rc1
1.70.0rc2
1.70.0
1.70.1
1.71.0rc1
1.71.0rc2
1.71.0
1.72.0rc1
1.72.0
1.73.0rc2
1.73.0
1.74.0rc1
1.74.0
1.75.0rc1
1.75.0rc2
1.75.0
1.76.0rc1
1.76.0rc2
1.76.0
1.77.0rc1
1.77.0rc2
1.77.0
1.78.0rc1
1.78.0
1.79.0rc1
1.79.0rc2
1.79.0
1.80.0rc1
1.80.0rc2
1.80.0
1.81.0rc1
1.81.0rc2
1.81.0
1.82.0rc1
1.82.0
1.83.0rc1
1.83.0
1.84.0rc1
1.84.0
1.84.1
1.85.0rc1
1.85.0rc2
1.85.0
1.85.1
1.85.2
1.86.0rc2
1.86.0
1.87.0rc1
1.87.0
1.88.0rc1
1.88.0
1.89.0rc1
1.89.0
1.90.0rc1
1.90.0
1.91.0rc1
1.91.0
1.91.1
1.91.2
1.92.0rc1
1.92.1
1.92.2
1.92.3
1.93.0rc1
1.93.0
1.94.0rc1
1.94.0
1.95.0rc1
1.95.0
1.95.1
1.96.0rc1
1.96.1
1.97.0rc1
1.97.0
1.98.0rc1
1.98.0
1.99.0rc1
1.99.0
1.100.0rc2
1.100.0rc3
1.100.0
1.101.0rc1
1.101.0
1.102.0rc1
1.102.0
1.103.0rc1
1.103.0
1.104.0rc1
1.104.0
1.105.0rc1
1.105.0
1.105.1
1.106.0rc1
1.106.0
1.107.0rc1
1.107.0
1.108.0rc1
1.108.0
1.109.0rc1
1.109.0rc2
1.109.0rc3
1.109.0
1.110.0rc2
1.110.0rc3
1.110.0
1.111.0rc1
1.111.0rc2
1.111.0
1.111.1
1.112.0rc1
1.112.0
1.113.0rc1
1.113.0
1.114.0rc1
1.114.0rc3
1.114.0
1.115.0rc1
1.115.0rc2
1.115.0
1.116.0rc1
1.116.0rc2
1.116.0
1.117.0rc1
1.117.0
1.118.0rc1
1.118.0
1.119.0rc2
1.119.0
1.120.0rc1
1.120.0
1.120.2
1.121.0rc1
1.121.0
1.121.1
1.122.0rc1
1.122.0
1.123.0rc1
1.123.0
1.124.0rc1
1.124.0rc2
1.124.0rc3
1.124.0
1.125.0rc1
1.125.0
1.126.0rc2
1.126.0rc3
1.126.0
1.127.0rc1
1.127.0
1.127.1
1.128.0rc1
1.128.0
1.129.0rc2
1.129.0
1.130.0rc1
1.130.0
1.131.0rc1
1.131.0
1.132.0rc1
1.132.0
1.133.0rc1
1.133.0
1.134.0rc1
1.134.0
1.135.0rc1
1.135.0rc2
1.135.0
1.135.2
1.136.0rc1
1.136.0rc2
1.136.0
1.137.0rc1
1.137.0
1.138.0rc1
1.138.0
1.138.2
1.139.0rc2
1.139.0rc3
1.139.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2026-1612.yaml"