CVE-2020-26257: Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poo...

Description

Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers. The Matrix Synapse reference implementation before version 1.23.1 the implementation is vulnerable to this injection attack. Issue is fixed in version 1.23.1. As a workaround homeserver administrators could limit access to the federation API to trusted servers (for example via `federation_domain_whitelist`).

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

2.36%

81.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Matrix	Synapse	< 1.23.1
Fedoraproject	Fedora	32
Fedoraproject	Fedora	33

References

https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09Release Notes, Third Party Advisory
https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8bPatch, Third Party Advisory
https://github.com/matrix-org/synapse/pull/8776Patch, Third Party Advisory
https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mmThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/
https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09Release Notes, Third Party Advisory
https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8bPatch, Third Party Advisory
https://github.com/matrix-org/synapse/pull/8776Patch, Third Party Advisory
https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mmThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/

Timeline

Published: Dec 9, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-26257?

Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers. The Matrix Synapse reference implementation before version 1.23.1 the implementation is vulnerable to this injection attack. Issue is fixed in version 1.23.1. As a workaround homeserver administrators could limit access to the federation API to trusted servers (for example via `federation_domain_whitelist`).

How severe is CVE-2020-26257?

CVE-2020-26257 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 2.36% probability of exploitation in the next 30 days.

How do I fix CVE-2020-26257?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.