CVE-2021-39163

Name of the Vulnerable Software and Affected Versions Matrix versions 1.41.0 and prior

Description Unauthorised users can access the name, avatar, topic, and number of members of a room if they know the ID of the room. This issue is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups, which requires the configuration setting enable group creation to be set to true. By default, only homeserver administrators can create groups, and they already have access to this information through the database or admin API.

Recommendations To patch the vulnerability, server administrators should upgrade to version 1.41.1 or higher. As a temporary workaround, server administrators can set enable group creation to false in their homeserver configuration to prevent creation of groups by non-administrators. Administrators using a reverse proxy can block the endpoints / matrix/client/r0/groups/{group id}/rooms and / matrix/client/unstable/groups/{group id}/rooms to minimize the risk, albeit with partial loss of group functionality.