We were advised of a bug with the LDAP integration an hour ago that allowed unauthenticated login in certain circumstances when using an old version of the ldap3 python module (v0.9.x).
Currently, this is only known to affect the debian packages of synapse. A fix has been pushed, v0.18.2-2, and it is strongly advised for you to update as soon as possible.
Synapse installed using pip should not be affected, as pip will have bundled a newer version of the ldap3 module.
Many thanks to Adrián Pérez for reporting the problem, and to hexa- for assistance in quickly solving it!
Signed announcement: synapse-debian-security-announcement