CVE-2026-45078
EPSS 0.01%Synapse CPU starvation (Denial of Service)
Published: 5/14/2026Modified: 6/3/2026
Description
### Impact Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. Homeservers that trust all their local users are not at risk. ### Patches Update to Synapse 1.152.1 or later. ### Workarounds If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests, preventing or increasing the difficulty of the attack. ### Identifiers - ELEMENTSEC-2026-1706 ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).
Affected packages (2)
- Debian/matrix-synapsefrom 0, < 1.152.1-1
- PyPI/matrix-synapsefrom 0, < 1.152.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
References (5)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-45078
- PATCHhttps://github.com/element-hq/synapse
- WEBhttps://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a
- WEBhttps://github.com/element-hq/synapse/issues/19394
- WEBhttps://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g