CVE-2026-63096 in dendriteinfo

Summary

by MITRE • 07/17/2026

Dendrite through 0.13.8 contains a server-side request forgery vulnerability that allows unauthenticated attackers to cause the server to open outbound TLS connections to arbitrary hosts and ports by supplying an unvalidated serverName parameter to the legacy media download endpoint. Attackers can exploit distinguishable error response classes and leaked internal IP addresses in error messages to perform blind port scanning and enumerate internal network topology.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability exists within the Dendrite matrix server software version 0.13.8 and earlier, representing a critical server-side request forgery flaw that enables unauthenticated attackers to manipulate the application's outbound network behavior. The vulnerability specifically affects the legacy media download endpoint which accepts an unvalidated serverName parameter, allowing malicious actors to instruct the server to establish TLS connections to arbitrary external hosts and ports without proper authentication or authorization checks.

The technical implementation of this flaw stems from insufficient input validation within the media handling component of the Dendrite server. When processing requests through the legacy media download endpoint, the application fails to properly sanitize or validate the serverName parameter, which is then directly used in outbound TLS connection attempts. This parameter validation failure creates a direct path for attackers to specify any target host and port combination, effectively turning the vulnerable server into an unwitting proxy for network reconnaissance activities.

The operational impact of this vulnerability extends beyond simple unauthorized network access, as attackers can leverage distinguishable error response classes to perform blind port scanning operations against internal networks. The application's error handling mechanisms inadvertently leak internal IP addresses within error messages, providing attackers with crucial information about the internal network topology. This information disclosure aspect significantly amplifies the threat potential, as it enables attackers to map internal network structures and identify potentially sensitive systems without direct access to the internal infrastructure.

From a cybersecurity perspective, this vulnerability aligns with CWE-918 Server-Side Request Forgery and maps to several ATT&CK techniques including T1046 Network Service Scanning and T1071.004 Application Layer Protocol DNS. The vulnerability represents a particularly dangerous class of flaw because it allows attackers to perform network reconnaissance from within the target environment, potentially bypassing traditional perimeter security controls. Attackers can systematically scan internal ports and services, identify running applications, and map the internal attack surface without requiring direct network access or sophisticated exploitation techniques.

The mitigation strategy requires immediate patching of Dendrite servers to version 0.13.9 or later, which addresses the validation issue in the media download endpoint. Organizations should also implement network segmentation controls and outbound firewall rules to limit the server's ability to connect to arbitrary external hosts, while monitoring for unusual outbound TLS connection patterns. Additionally, administrators should review and harden error handling mechanisms to prevent information leakage of internal IP addresses or system details in error responses, as this secondary vulnerability significantly enhances the attacker's capabilities during reconnaissance phases.

The broader implications highlight the critical importance of input validation in server-side applications and demonstrate how seemingly minor validation gaps can enable sophisticated attack vectors. This vulnerability underscores the need for comprehensive security testing including threat modeling exercises and automated scanning of application code for similar patterns that could lead to unauthorized network access or information disclosure vulnerabilities. Organizations running matrix-based communication platforms must ensure regular security updates and maintain awareness of such vulnerabilities in third-party components they rely upon for critical infrastructure services.

Responsible

VulnCheck

Reservation

07/15/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!