CVE-2026-45078: Synapse CPU starvation (Denial of Service)
(updated )
Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service.
Homeservers that trust all their local users are not at risk.
References
- github.com/advisories/GHSA-8q93-326v-3m7g
- github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a
- github.com/element-hq/synapse/issues/19394
- github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2026-191.yaml
- nvd.nist.gov/vuln/detail/CVE-2026-45078
Code Behaviors & Features
Detect and mitigate CVE-2026-45078 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →