Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 17 Jul 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint (syncapi/routing/context.go) that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. Attackers who have left a room can call the rooms context API endpoint for a previously permitted event and receive unfiltered current room state that the /messages and /sync endpoints correctly withhold. | |
| Title | Dendrite 0.13.8 syncapi /context Endpoint Post-Leave State Exposure | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T15:32:45.411Z
Reserved: 2026-07-15T15:45:44.601Z
Link: CVE-2026-63097
No data.
No data.
No data.
OpenCVE Enrichment
No data.