CVE-2026-63095 in dendrite
Summary
by MITRE • 07/17/2026
Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint without ownership verification. Attackers can exploit the unverified Forget3PID handler to remove a victim's email or MSISDN binding and subsequently rebind the address through an identity server to hijack the victim's password reset flow.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability exists within the Dendrite matrix server software version 0138 and represents a critical improper authorization flaw that undermines the security of user account management. The issue stems from insufficient validation mechanisms within the Client-Server API implementation where authenticated local users can exploit a weakness in the account deletion endpoint to remove third-party identifier bindings belonging to other users. This vulnerability specifically affects the Forget3PID handler which is designed to allow users to remove their own third-party identifiers but fails to verify ownership of the target binding before executing the deletion operation.
The technical exploitation of this vulnerability follows a precise sequence that leverages the absence of proper authorization checks within the Matrix protocol implementation. An authenticated attacker can submit arbitrary address and medium parameters to the account deletion endpoint without demonstrating ownership of the target identifier, effectively allowing them to remove any user's email address or phone number binding from the system. This flaw directly violates the principle of least privilege and authorization verification that should be fundamental to all user account management operations within secure systems.
The operational impact of this vulnerability extends beyond simple unauthorized data modification and creates a sophisticated attack vector for account takeover scenarios. When an attacker successfully removes a victim's third-party identifier binding, they can subsequently rebind that same address through an identity server, effectively hijacking the victim's password reset flow and gaining unauthorized access to their account. This represents a significant escalation from simple data manipulation to full account compromise, as the attacker can now intercept password reset emails or SMS messages intended for the legitimate user.
This vulnerability aligns with CWE-862 which defines improper authorization as a weakness where a system fails to properly verify that an actor has adequate access rights to perform a requested operation. The flaw also maps to ATT&CK technique T1531 which covers "Account Access Removal" and T1566 which addresses "Phishing" through the manipulation of password reset mechanisms. The attack chain demonstrates how insufficient input validation and authorization checks can create cascading security failures that compromise user authentication flows. Organizations using Dendrite versions 0138 or earlier are particularly vulnerable as this represents a fundamental flaw in the server's account management system that allows arbitrary users to manipulate critical authentication data.
Mitigation strategies should prioritize immediate patching of affected Dendrite installations to version 0139 or later where the authorization checks have been properly implemented. Additionally, administrators should implement monitoring for unauthorized deletion operations within their Matrix server logs and consider implementing additional access controls for account management functions. The fix typically involves adding proper ownership verification before executing any third-party identifier removal operations, ensuring that only the legitimate user or authorized administrators can modify another user's binding information. Organizations should also conduct security reviews of their identity server configurations to prevent abuse of the re-binding functionality that enables the complete attack chain from identifier removal through account takeover.