#VU127004 Missing Authentication for Critical Function in Synapse - CVE-2024-37303
Published: December 3, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127004
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-37303
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Synapse
Synapse
Software vendor:
Matrix.org
Matrix.org
Description
The vulnerability allows a remote attacker to plant problematic content in the media repository.
The vulnerability exists due to missing authentication for critical functionality in the media repository download endpoints when triggering download and caching of remote media from a remote homeserver. A remote attacker can cause the server to fetch and cache remote media to plant problematic content in the media repository.
The planted content then becomes available for unauthenticated download from the local homeserver.
Remediation
Install security update from vendor's website.