In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
m.room.power_levels
"https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2026-844.yaml"