CVE-2023-38686
CVE-2023-38686 is a critical-severity vulnerability in Matrix Sydent with a CVSS 3.x base score of 9.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-295.
Key facts
- Severity: Critical (CVSS 3.x base score 9.3)
- EPSS exploit prediction: 0% (14th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-295
- Affected product: Matrix Sydent
- Published:
- Last modified:
Description
Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Sydent's emails vulnerable to interception via a man-in-the-middle (MITM) attack. Attackers with privileged access to the network can intercept room invitations and address confirmation emails. This is patched in Sydent 2.5.6. When patching, make sure that Sydent trusts the certificate of the server it is connecting to. This should happen automatically when using properly issued certificates. Those who use self-signed certificates should make sure to copy their Certification Authority certificate, or their self signed certificate if using only one, to the trust store of your operating system. As a workaround, one can ensure Sydent's emails fail to send by setting the configured SMTP server to a loopback or non-routable address under one's control which does not have a listening SMTP server.
Frequently asked questions
- What is CVE-2023-38686?
- Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Sydent's emails vulnerable to interception via a man-in-the-middle (MITM) attack. Attackers with privileged access to the network can intercept room invitations and address confirmation emails. This is patched in Sydent 2.5.6. When patching, make sure that Sydent trusts the certificate of the server it is connecting to. This should happen automatically when using properly issued certificates. Those who use self-signed certificates should make sure to copy their Certification Authority certificate, or their self signed certificate if using only one, to the trust store of your operating system. As a workaround, one can ensure Sydent's emails fail to send by setting the configured SMTP server to a loopback or non-routable address under one's control which does not have a listening SMTP server.
- How severe is CVE-2023-38686?
- CVE-2023-38686 has a CVSS 3.x base score of 9.3, rated critical severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2023-38686 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (14th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-38686?
- CVE-2023-38686 affects Matrix Sydent. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-38686?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2023-38686 published?
- CVE-2023-38686 was published on 2023-08-04 and last updated on 2026-06-17.
References
- https://docs.python.org/3/library/ssl.html?highlight=ssl#security-considerations
- https://github.com/matrix-org/sydent/commit/1cd748307c6b168b66154e6c4db715d4b9551261
- https://github.com/matrix-org/sydent/pull/574
- https://github.com/matrix-org/sydent/releases/tag/v2.5.6
- https://github.com/matrix-org/sydent/security/advisories/GHSA-p6hw-wm59-3g5g
- https://github.com/python/cpython/issues/91826
- https://peps.python.org/pep-0476/
Affected products (1)
- cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*
More vulnerabilities in Matrix Sydent
- CVE-2021-29431 — High (CVSS 7.7): Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due…
- CVE-2021-29430 — High (CVSS 7.5): Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients.…
- CVE-2019-11842 — High (CVSS 7.5): An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is…
- CVE-2019-11340 — Medium (CVSS 5.9): util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain,…
- CVE-2021-29432 — Medium (CVSS 5.3): Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the…
- CVE-2021-29433 — Medium (CVSS 4.3): Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 and prior, sissing input validation of some…
All CVEs affecting Matrix Sydent →
Other CWE-295 (Improper Certificate Validation) vulnerabilities
- CVE-2026-4370 — Critical (CVSS 10.0): A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the…
- CVE-2026-30836 — Critical (CVSS 10.0): Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6…
- CVE-2025-68121 — Critical (CVSS 10.0): During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between…
- CVE-2022-20703 — Critical (CVSS 10.0): Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker…
- CVE-2021-1471 — Critical (CVSS 9.9): Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms…
- CVE-2026-20184 — Critical (CVSS 9.8): A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed…
Browse all CWE-295 (Improper Certificate Validation) vulnerabilities →