CVE-2023-32682
CVE-2023-32682 is a medium-severity vulnerability in Matrix Synapse with a CVSS 3.x base score of 5.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.
Key facts
- Severity: Medium (CVSS 3.x base score 5.4)
- EPSS exploit prediction: 1% (51st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-287
- Affected product: Matrix Synapse
- Published:
- Last modified:
Description
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade.
Frequently asked questions
- What is CVE-2023-32682?
- Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade.
- How severe is CVE-2023-32682?
- CVE-2023-32682 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2023-32682 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (51st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-32682?
- CVE-2023-32682 affects Matrix Synapse. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-32682?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-32682 published?
- CVE-2023-32682 was published on 2023-06-06 and last updated on 2026-06-17.
References
- https://github.com/matrix-org/synapse/pull/15624
- https://github.com/matrix-org/synapse/pull/15634
- https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p
- https://lists.fedoraproject.org/archives/list/[email protected]/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/
- https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account
- https://matrix-org.github.io/synapse/latest/jwt.html
- https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
Affected products (1)
- cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*
More vulnerabilities in Matrix Synapse
- CVE-2019-18835 — Critical (CVSS 9.8): Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join,…
- CVE-2024-53863 — Critical (CVSS 9.1): Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option…
- CVE-2018-16515 — High (CVSS 8.8): Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by…
- CVE-2024-52805 — High (CVSS 7.5): Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain…
- CVE-2024-37302 — High (CVSS 7.5): Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where…
- CVE-2021-41281 — High (CVSS 7.5): Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances…
All CVEs affecting Matrix Synapse →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →