Security Disclosure Policy greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of responsible disclosure in order to best protect Matrix’s user-base from the impact of security issues. On our side, this means:

  • We will respond to security incidents as a priority.
  • We will fix the issue as soon as is practical, keeping in mind that not all risks are created equal.
  • We will always transparently let the community know about any incident that affects them.

If you have found a security vulnerability in Matrix, we ask that you disclose it responsibly by emailing [email protected]. Optionally, if you want to encrypt your email, you can use our PGP key. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt the security team will:

  • Review the report, verify the vulnerability and respond with confirmation and/or further information requests; we typically reply within 24 hours.
  • Once the reported security bug has been addressed we will notify the Researcher, who is then welcome to optionally disclose publicly.

The following is a list of known issues and/or things we do not consider to be an issue. Please do not send reports regarding the following:

  • Issues relating to SPF or DMARC.

The Foundation does not ordinarily provide bug bounties, though organisations building on top of Matrix may do so in future.

We maintain a Hall of Fame to recognise those who have responsibly disclosed security issues to us in the past.

Hall of Fame

    2021-09-23 - Matrix Static - Pascal "nephele" Abresch
    Reported that Matrix Static (used for was vulnerable to XSS via room names due to missing sanitization. Fixed in Matrix Static 0.3.1.
    2021-08-31 - - Thomas Chauchefoin (SonarSource)
    Discovered was running a version of Cachet vulnerable to an SQL injection. Since this host was used solely for running the status page, we fixed this by decommissioning it and switching to Atlassian's Statuspage service.
    2021-07-03 - Synapse - Aaron Raimist
    Discovered that an explicit assignment of power level 0 was misinterpreted as the default power level. Fixed in Synapse v1.40.0.
    Discovered that Element Android was disclosing the filename of end-to-end encrypted attachments to the homeserver. Fixed in Element Android 1.1.8.
    2021-03-01 - Dendrite - Graham Leach-Krouse
    Authentication bypass in SQLite deployments. Fixed in Dendrite v0.3.11.
    2021-02-16 - Matrix React SDK - Guilherme Keerok
    User content sandbox could be tricked into opening arbitrary documents (CVE-2021-21320). Fixed in matrix-react-sdk 3.15.0.
    2021-01-18 - Synapse - Michaël Scherer
    IP blacklist bypass via transitional IPv6 addresses on dual-stack networks (CVE-2021-21392). Fixed in Synapse 1.28.0.
    2021-01-07 - Element iOS - Andrea Spacca
    Element iOS crash via an invalid content payload. Fixed in Element iOS 1.1.4.
    2020-11-17 - Synapse - Michaël Scherer
    Denial of service attack via .well-known lookups (CVE-2021-21274). Fixed in Synapse 1.25.0.
    2020-11-17 - Synapse - Michaël Scherer
    IP blacklist bypass via redirects on some federation and push requests (CVE-2021-21273). Fixed in Synapse 1.25.0.
    2020-09-20 - Synapse - Denis Kasak
    HTML injection in login fallback endpoints could be used for a Cross-site-scripting attack (CVE-2020-26891). Fixed in Synapse 1.21.0.
    2020-09-09 - New Vector Infrastructure - Pritam Mukherjee
    Misconfigured X-Frame in New Vector internal infrastructure could lead to Clickjacking
    2020-08-14 - Element - awesome-michael - Awesome Technologies
    An issue where encrypted state events could break incoming call handling. Fixed in Element 1.7.5
    2020-07-29 - Element - 0x1a8510f2
    An issue where Element Android was leaking PII. Fixed in Element Android 1.0.5
    2020-07-20 - Element - SakiiR
    An issue where an unexpected language ID in a code block could cause Element to crash. Fixed in Element 1.7.3
    2020-07-14 - Synapse - Denis Kasak
    Invalid JSON could become part of the room state, acting as a denial of service vector (CVE-2020-26890). Fixed in Synapse 1.20.0. Disclosed 2020-11-23.
    2020-07-02 - Synapse - Quentin Gliech
    A clickjacking vulnerability in the single-sign-on flow in Synapse. Fixed in Synapse 1.15.2.
    2020-06-18 - Element - Sorunome
    An issue where replying to a specially formatted message would make it seem like the replier said something they did not. Fixed in Element 1.7.3
    2020-05-10 - Matrix React SDK - Quentin Gliech
    A CSRF attack leading to potential unauthorised access to accounts on servers using single-sign-on flows. Fixed as part of matrix-react-sdk#4685, released in Riot/Web 1.6.3.
    2020-05-03 - e2e spec - David Wong
    A vulnerability in the SAS verification protocol failing to bind the ephemeral public keys. Fixed in MSC2630, which lists the fixed client versions.
    2020-03-03 - Synapse - Rhys Davies
    An open redirect vulnerability affecting single sign-on flows. Fixed in Synapse 1.11.1
    2019-05-02 - sydent - Enguerran Gillier
    HTML injection in email invites. A malicious 3rd party invite could inject unescaped HTML into the email template. Fixed in Sydent 1.0.3
    2019-05-02 - synapse - Enguerran Gillier
    SSRF in the URL preview API, which did not blacklist access to or ::/128 by default. Fixed in Synapse
    2019-05-02 - synapse - Enguerran Gillier
    Insecure pseudo-random number generator in synapse meant that an attacker might be able to predict random values. Fixed in Synapse
    2019-05-02 - sydent - Enguerran Gillier
    Insecure pseudo-random number generator in sydent meant that an attacker could predict authentication tokens. Fixed in Sydent 1.0.3
    2019-04-22 - Riot/Android - Julien Thomas - Protektoid Project
    Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local app could compromise account data. Mitigated here.
    2019-04-20 - Sydent - fs0c131y
    Sydent sesssion ids were predictable, meaning it was possible to infer the total number of validations and also check if an address had been validated. Mitigated here.
    2019-04-18 - Sydent - fs0c131y
    An email validation exploit in Sydent. For more details see here and CVE-2019-11340.
    2019-04-09 - Infrastructure - Jaikey Sarraf
    Identified a unpatched RCE vulnerability in's public-facing Jenkins. It transpired the vulnerability had been exploited by an attacker.
    2018-12-06 - Synapse - Brian Hyde
    XSS exploit allowing a malicious SWF uploaded to Riot via Firefox to run arbitrary code in the domain of the content repository. Mitigated here.
    2018-02-19 - Matrix React SDK - rugk
    Origin check of ScalarMessaging postmessage API was insufficient. Mitigated here.

If you think you should be on the list, apologies if we missed you, please mail us at [email protected]