CVE-2021-39164

Name of the Vulnerable Software and Affected Versions Matrix versions 1.41.0 and prior

Description Unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The issue is limited to rooms with shared history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Administrators of servers that use a reverse proxy could block the endpoints: / matrix/client/r0/rooms/{room id}/members with at query parameter, and / matrix/client/unstable/rooms/{room id}/members with at query parameter.

Recommendations Server administrators should upgrade to 1.41.1 or later in order to receive the patch. As a temporary workaround, administrators of servers that use a reverse proxy could block the endpoints: / matrix/client/r0/rooms/{room id}/members with at query parameter, and / matrix/client/unstable/rooms/{room id}/members with at query parameter, although this may result in unacceptable loss of functionality.