{"id":"PYSEC-2026-845","summary":"Matrix Synapse Improper Signature Validation","details":"Matrix Synapse before 0.33.3.1 and 0.33.2.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.","aliases":["CVE-2018-16515","GHSA-fmvh-rvq5-hhjx"],"modified":"2026-07-07T11:46:05.859030580Z","published":"2026-07-06T08:03:21.195845Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16515"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/issues/3796#event-1833126269"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/commit/5bf8bc79ebc22c61968f2eb487714813fccbdb9b"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/commit/804dd41e18c449e711e443398b95c9f6c68b6fa2"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/commit/a5a0bf5cf71caed3c4e3677d2bce667c147dadfc"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/commit/c127c8d0421f0228a46ebbe280c9537e8d8ea42b"},{"type":"PACKAGE","url":"https://github.com/matrix-org/synapse"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRW7YR2H3ASUSYX4AO4KMY3FNVDNYW3P"},{"type":"WEB","url":"https://matrix.org/blog/2018/09/06/critical-security-update-synapse-0-33-3-1"},{"type":"PACKAGE","url":"https://pypi.org/project/matrix-synapse"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-fmvh-rvq5-hhjx"}],"affected":[{"package":{"name":"matrix-synapse","ecosystem":"PyPI","purl":"pkg:pypi/matrix-synapse"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.33.2.1"},{"introduced":"0.33.3"},{"fixed":"0.33.3.1"}]}],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2026-845.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}