QSearchQSearch

CVE-2021-39163

3.1 LOW

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP

Published: 2021-08-31 · Last updated: 2026-06-17

Severity and scoring

CVSS
3.1 LOW
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
CWE-200, CWE-863

Affected products

VendorProduct
fedoraprojectfedora, synapse
matrixfedora, synapse

Description

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. As a result, only homeservers where the configuration setting `enable_group_creation` has been set to `true` are impacted. Server administrators should upgrade to 1.41.1 or higher to patch the vulnerability. There are two potential workarounds. Server administrators can set `enable_group_creation` to `false` in their homeserver configuration (this is the default value) to prevent creation of groups by non-administrators. Administrators that are using a reverse proxy could, with partial loss of group functionality, block the endpoints `/_matrix/client/r0/groups/{group_id}/rooms` and `/_matrix/client/unstable/groups/{group_id}/rooms`.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2024-28960 An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto (8.2 HIGH)
  • CVE-2023-51767 OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer ... (7.0 HIGH)
  • CVE-2023-43615 Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow (7.5 HIGH)
  • CVE-2023-25136 OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling (6.5 MEDIUM)
  • CVE-2022-46393 An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 (9.8 CRITICAL)

Same CWE

  • CVE-2026-12117 Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to ...
  • CVE-2026-53860 OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries... (4.2 MEDIUM)
  • CVE-2026-53855 OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks ... (8.1 HIGH)
  • CVE-2026-53854 OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows sender... (6.5 MEDIUM)
  • CVE-2026-53853 OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowe... (8.3 HIGH)