Whilst Synapse (and Matrix) is still in beta, we nonetheless take such security issues seriously. (This can be done by running patch -p1 sec.patch in the synapse source directory.) If an update is not available for your system you should manually apply the security patch that is included below. The github repository, as well as major 3rd party packages, have been updated with patched versions. We are not aware of any exploit in the wild, but it is critical for all synapse homeservers later than v0.12 to be upgraded immediately. The source of the issue was identified, and a patch was created and distributed to package maintainers at roughly 16:30 UTC the same day. The issue was reported at 14:40 UTC on by Patrik Oldsberg at Ericsson (many thanks Patrik for discovering the issue and swiftly informing us). We've been made aware of a critical security issue in Synapse present in versions 0.12 through 0.16.1 inclusive which can allow users' accounts to be accessed by other unauthorized users on the same server.