Neilalexander

**Name of the Vulnerable Software and Affected Versions** Dendrite versions prior to 0.9.8 **Description** The issue concerns events retrieved from a remote homeserver using the "/get missing events" path, where signatures were not verified correctly. This could allow a remote homeserver to provide invalid or modified events to Dendrite via this endpoint. Events retrieved through other endpoints, such as "/event" and "/state", have been correctly verified. Homeservers with federation disabled are not vulnerable. **Recommendations** For Dendrite versions prior to 0.9.8, upgrade to Dendrite 0.9.8 to resolve the issue. As a temporary workaround, consider disabling federation to minimize the risk of exploitation. Note that there are no other known workarounds for this issue.