CVE-2026-63097 in dendriteinfo

Summary

by MITRE • 07/17/2026

Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint (syncapi/routing/context.go) that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. Attackers who have left a room can call the rooms context API endpoint for a previously permitted event and receive unfiltered current room state that the /messages and /sync endpoints correctly withhold.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability resides within the Dendrite matrix server software ecosystem, specifically affecting versions through 0.13.8 where an improper access control flaw exists in the syncapi context endpoint implementation. The technical flaw manifests in the membership validation logic located at syncapi/routing/context.go which performs inadequate authorization checks by only examining the RoomExists field while completely disregarding critical membership status indicators including IsInRoom, HasBeenInRoom, and Membership fields. This incomplete validation creates a privilege escalation path where authenticated local users who have previously left a room can exploit this gap to access post-leave room state events that should remain restricted.

The operational impact of this vulnerability extends beyond simple information disclosure as it fundamentally undermines the room membership and access control model that forms the foundation of matrix communication security. Attackers who have departed from a room can leverage this flaw to retrieve current room state data through the context API endpoint, bypassing the normal restrictions that would otherwise prevent access to events occurring after their departure. This behavior contrasts sharply with the proper implementation in /messages and /sync endpoints which correctly withhold post-leave room state information, creating an inconsistent security posture within the same software component.

The vulnerability aligns with CWE-284 Access Control flaws and represents a classic case of insufficient authorization checking that enables unauthorized access to protected resources. From an adversarial perspective, this issue maps to ATT&CK technique T1078 Valid Accounts as authenticated users can exploit their existing credentials to gain access to data they should not logically be able to view after leaving a room. The flaw essentially creates a backdoor mechanism where departing users maintain access to room state information that normally would be restricted upon membership termination, potentially exposing sensitive communication metadata and room configuration changes.

Organizations utilizing Dendrite software should implement immediate mitigations including upgrading to versions that address this access control gap, implementing additional monitoring around context endpoint usage patterns, and conducting comprehensive audits of room membership validation logic. The fix requires proper implementation of membership status checks that evaluate all relevant fields rather than relying solely on RoomExists, ensuring that users who have left a room cannot access post-leave state events through the context API endpoint. Security teams should also consider implementing network-level controls to restrict access to sensitive endpoints and establish baseline behavioral patterns for legitimate users to detect anomalous access attempts that may indicate exploitation of this vulnerability.

Responsible

VulnCheck

Reservation

07/15/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!