Upstream information
Description
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| CVSS detail | CNA (GitHub) |
|---|---|
| Base Score | 5.1 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| Attack Vector | Network |
| Attack Complexity | Low |
| Attack Requirements | None |
| Privileges Required | High |
| User Interaction | None |
| Vulnerable System Confidentiality Impact | None |
| Vulnerable System Integrity Impact | None |
| Vulnerable System Availability Impact | Low |
| Subsequent System Confidentiality Impact | None |
| Subsequent System Integrity Impact | None |
| Subsequent System Availability Impact | None |
| CVSSv4 Version | 4.0 |
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2026-10898 |
SUSE Timeline for this CVE
CVE page created: Thu May 28 20:18:54 2026CVE page last modified: Sat May 30 11:36:33 2026