AIKIDO-2026-10234
matrix-synapse is vulnerable to Improper Verification of Cryptographic Signature
78
High Risk
This Affects:
matrix-synapseTL;DR
Affected versions of this package are vulnerable to improper validation of server signing keys in federation requests. Synapse may accept events and federation requests signed with banned or otherwise insecure server signing keys, allowing a malicious or compromised server to authenticate requests that should be rejected. This could enable unauthorized federation interactions or the injection of untrusted events. The issue is fixed by rejecting requests and events authenticated with banned signing keys.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
matrix-synapse is vulnerable to Improper Verification of Cryptographic Signature in versions 0.0.1 - 1.147.0.
How to fix this
Upgrade the matrix-synapse library to the patch version.
Links
GitHub Releases
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant