CVE-2026-45078

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.152.1

Description Local authenticated users can cause the system to starve other requests of CPU resources, leading to request failures and a denial of service for other users. Homeservers that trust all their local users are not at risk.

Recommendations Update to version 1.152.1 or later. If deployed behind a reverse proxy, configure the proxy to limit the rate of user requests to prevent or increase the difficulty of the attack.

Fix

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

CVE-2026-45078

GHSA-8Q93-326V-3M7G

OPENSUSE-SU-2026:10898-1

Affected Products

Synapse

CVE-2026-45078

Weakness Enumeration

Related Identifiers

Affected Products

References · 10