Synapse 1.152.1 (2026-05-07)

Security Fixes

• Prevent CPU starvation (Denial of Service) under worker lock contention, additionally capping the WorkerLock time out interval to a maximum of 60 seconds. Contributed by Famedly. (#19394, ELEMENTSEC-2026-1706, GHSA-8q93-326v-3m7g, CVE pending)
• Prevent pagination ending when a page is full of rejected events. (ELEMENTSEC-2025-1636, GHSA-6qf2-7x63-mm6v, CVE pending)

Synapse 1.152.0 (2026-04-28)

No significant changes since 1.152.0rc1.

Configuration changes needed for deployments using workers

For deployments using workers, please note that this version introduces a new quarantined_media_changes stream writer, which may require configuration changes.
Please see the the relevant section in the upgrade notes for details.

Without configuring this new stream writer, only the main process will be able to handle the /media/quarantine admin API endpoints for quarantining media.

Synapse 1.152.0rc1 (2026-04-22)

Features

• Add a "Listing quarantined media changes" Admin API for retrieving a paginated record of when media became (un)quarantined. (#19558, #19677, #19694)
• Advertise MSC4445 sync timeline order in unstable_features. (#19642)
• Report the Rust compiler version used in the Prometheus metrics. Contributed by Noah Markert. (#19643)
• Passthrough 'article' and 'profile' OpenGraph metadata on URL preview requests. (#19659)
• Add a way to re-sign local events with a new signing key. (#19668)
• Support MSC4450: Identity Provider selection for User-Interactive Authentication with Legacy Single Sign-On. (#19693)
• Add experimental support for MSC4242: State DAGs. Excludes federation support. (#19424)
• Adds Admin API endpoints to
  list, fetch and delete user reports. (#19657)
• Reduce database disk space usage by pruning old rows from device_lists_changes_in_room. (#19473, #19709)

Bugfixes

• Reject device_keys: null in the request to POST /_matrix/client/v3/keys/upload, as per the spec. This was temporarily allowed as a workaround for misbehaving clients. (#19637)
• Fix database migrations failing on platforms where SQLite is configured with SQLITE_DBCONFIG_DEFENSIVE by default, such as macOS. (#19690)
• Fix a bug introduced in v1.145 where a non-admin could bypass admin checks for downloading remote quarantined media. This relied on the media already being previously present on the homeserver. (#19639)

Improved Documentation

• Include a workaround for running the unit tests with SQLite under recent versions of MacOS. (#19615)
• Fix Docker image link typo in worker docs. (#19645)
• Update the developer stream docs for creating a new stream to point out _setup_sequence(...) in portdb. (#19675)
• Update the developer stream docs for creating a new stream to highlight places that require documentation updates. (#19696)

Internal Changes

• Update CI to use re-usable Complement GitHub CI workflow. (#19533)
• Fix docstring for limit argument in _maybe_backfill_inner(...). (#19630)
• Document context for why increase timeout for policy server requests. (#19633)
• Run lint script to format Complement tests introduced in #19509. (#19636)
• Small simplifications to the events class. (#19680, #19712)
• Introduce spam_checker_spammy internal event metadata. (#19453)
• Add a FilteredEvent class that saves us copying events. (#19640)
• Convert EventInternalMetadata to use Arc<RwLock<_>>. (#19669)