{"id":"PYSEC-2026-844","summary":"Matrix Synapse Authorization Error","details":"In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no `m.room.power_levels` event in force.","aliases":["CVE-2018-12423","GHSA-ch5v-fhg8-7gv9"],"modified":"2026-07-07T11:46:05.879609167Z","published":"2026-07-06T08:03:21.080320Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12423"},{"type":"WEB","url":"https://github.com/matrix-org/matrix-doc/issues/1304"},{"type":"WEB","url":"https://bugs.debian.org/901549"},{"type":"PACKAGE","url":"https://github.com/matrix-org/synapse"},{"type":"WEB","url":"https://matrix.org/blog/2018/06/14/security-update-synapse-0-31-2"},{"type":"PACKAGE","url":"https://pypi.org/project/matrix-synapse"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-ch5v-fhg8-7gv9"}],"affected":[{"package":{"name":"matrix-synapse","ecosystem":"PyPI","purl":"pkg:pypi/matrix-synapse"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.31.2"}]}],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2026-844.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}