CVE-2026-63097
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint (syncapi/routing/context.go) that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. Attackers who have left a room can call the rooms context API endpoint for a previously permitted event and receive unfiltered current room state that the /messages and /sync endpoints correctly withhold.
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM
Base Score 3.x
4.30
Severity 3.x
MEDIUM



