v1.149.0rc1

Synapse 1.149.0rc1 (2026-03-03)

Features

• Add experimental support for MSC4388: Secure out-of-band channel for sign in with QR. (#19127)
• Add stable support for MSC4380 invite blocking. (#19431)

Bugfixes

• Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token. (#18518)
• Fix /sync missing membership event in state_after (experimental MSC4222 implementation) in some scenarios. (#19460)

Internal Changes

• Add log to explain when and why we freeze objects in the garbage collector. (#19440)
• Better instrument JoinRoomAliasServlet with tracing. (#19461)
• Fix Complement CI not running against the code from our PRs. (#19475)
• Log docker system info in CI so we have a plain record of how GitHub runners evolve over time. (#19480)
• Rename the test_disconnect test helper so that pytest doesn't see it as a test. (#19486)
• Add a log line when we delete devices. Contributed by @bradtgmurray @ Beeper. (#19496)
• Pre-allocate the buffer based on the expected Content-Length with the Rust HTTP client. (#19498)
• Cancel long-running sync requests if the client has gone away. (#19499)
• Try and reduce reactor tick times when under heavy load. (#19507)
• Simplify Rust HTTP client response streaming and limiting. (#19510)
• Replace deprecated collection import locations with current locations. (#19515)
• Bump most locked Python dependencies to their latest versions. (#19519)

v1.148.0

Synapse 1.148.0 (2026-02-24)

No significant changes since 1.148.0rc1.

Synapse 1.148.0rc1 (2026-02-17)

Features

• Support sending and receiving MSC4354 Sticky Event metadata. (#19365)

Improved Documentation

• Fix reference to the experimental_features section of the configuration manual documentation. (#19435)

Deprecations and Removals

• Remove support for MSC3244: Room version capabilities as the MSC was rejected. (#19429)

Internal Changes

• Add in-repo Complement tests so we can test Synapse specific behavior at an end-to-end level. (#19406)
• Push Synapse docker images to Element OCI Registry. (#19420)
• Allow configuring the Rust HTTP client to use HTTP/2 only. (#19457)
• Correctly refuse to start if the Rust workspace config has changed and the Rust library has not been rebuilt. (#19470)

v1.148.0rc1

Synapse 1.148.0rc1 (2026-02-17)

Features

• Support sending and receiving MSC4354 Sticky Event metadata. (#19365)

Improved Documentation

• Fix reference to the experimental_features section of the configuration manual documentation. (#19435)

Deprecations and Removals

• Remove support for MSC3244: Room version capabilities as the MSC was rejected. (#19429)

Internal Changes

• Add in-repo Complement tests so we can test Synapse specific behavior at an end-to-end level. (#19406)
• Push Synapse docker images to Element OCI Registry. (#19420)
• Allow configuring the Rust HTTP client to use HTTP/2 only. (#19457)
• Correctly refuse to start if the Rust workspace config has changed and the Rust library has not been rebuilt. (#19470)

v1.147.1

Synapse 1.147.1 (2026-02-12)

• Block federation requests and events authenticated using a known insecure signing key. See CVE-2026-24044 / ELEMENTSEC-2025-1670. (#19459)

v1.147.0

Synapse 1.147.0 (2026-02-10)

No significant changes since 1.147.0rc1.

Synapse 1.147.0rc1 (2026-02-03)

Bugfixes

• Fix memory leak caused by not cleaning up stopped looping calls. Introduced in v1.140.0. (#19416)
• Fix a typo that incorrectly made setuptools_rust a runtime dependency. (#19417)

Internal Changes

• Prune stale entries from sliding_sync_connection_required_state table. (#19306)
• Update "Event Send Time Quantiles" graph to only use dots for the event persistence rate (Grafana dashboard). (#19399)
• Update and align Grafana dashboard to use regex matching for job selectors (job=~"$job") so the "all" value works correctly across all panels. (#19400)
• Don't retry joining partial state rooms all at once on startup. (#19402)
• Disallow requests to the health endpoint from containing trailing path characters. (#19405)
• Add notes that new experimental features should have associated tracking issues. (#19410)
• Bump pyo3 from 0.26.0 to 0.27.2 and pythonize from 0.26.0 to 0.27.0. Contributed by @razvp @ ERCOM. (#19412)

v1.147.0rc1

Synapse 1.147.0rc1 (2026-02-03)

Bugfixes

• Fix memory leak caused by not cleaning up stopped looping calls. Introduced in v1.140.0. (#19416)
• Fix a typo that incorrectly made setuptools_rust a runtime dependency. (#19417)

Internal Changes

• Prune stale entries from sliding_sync_connection_required_state table. (#19306)
• Update "Event Send Time Quantiles" graph to only use dots for the event persistence rate (Grafana dashboard). (#19399)
• Update and align Grafana dashboard to use regex matching for job selectors (job=~"$job") so the "all" value works correctly across all panels. (#19400)
• Don't retry joining partial state rooms all at once on startup. (#19402)
• Disallow requests to the health endpoint from containing trailing path characters. (#19405)
• Add notes that new experimental features should have associated tracking issues. (#19410)
• Bump pyo3 from 0.26.0 to 0.27.2 and pythonize from 0.26.0 to 0.27.0. Contributed by @razvp @ ERCOM. (#19412)

v1.146.0

Synapse 1.146.0 (2026-01-27)

No significant changes since 1.146.0rc1.

Deprecations and Removals

• MSC2697 (Dehydrated devices) has been removed, as the MSC is closed. Developers should migrate to MSC3814. (#19346)
• Support for Ubuntu 25.04 (Plucky Puffin) has been dropped. Synapse no longer builds debian packages for Ubuntu 25.04.

Synapse 1.146.0rc1 (2026-01-20)

Features

• Add a new config option enable_local_media_storage which controls whether media is additionally stored locally when using configured media_storage_providers. Setting this to false allows off-site media storage without a local cache. Contributed by Patrice Brend'amour @dr.allgood. (#19204)
• Stabilise support for MSC4312's m.oauth User-Interactive Auth stage for resetting cross-signing identity with the OAuth 2.0 API. The old, unstable name (org.matrix.cross_signing_reset) is now deprecated and will be removed in a future release. (#19273)
• Refactor Grafana dashboard to use server_name label (instead of instance). (#19337)

Bugfixes

• Fix joining a restricted v12 room locally when no local room creator is present but local users with sufficient power levels are. Contributed by @nexy7574. (#19321)
• Fixed parallel calls to /_matrix/media/v1/create being ratelimited for appservices even if rate_limited: false was set in the registration. Contributed by @tulir @ Beeper. (#19335)
• Fix a bug introduced in 1.61.0 where a user's membership in a room was accidentally ignored when considering access to historical state events in rooms with the "shared" history visibility. Contributed by Lukas Tautz. (#19353)
• MSC4140: Store the JSON content of scheduled delayed events as text instead of a byte array. This fixes the inability to schedule a delayed event with non-ASCII characters in its content. (#19360)
• Always rollback database transactions when retrying (avoid orphaned connections). (#19372)
• Fix InFlightGauge typing to allow upgrading to prometheus_client 0.24. (#19379)

Updates to the Docker image

• Add Prometheus HTTP service discovery endpoint for easy discovery of all workers when using the docker/Dockerfile-workers image (see the Metrics section of our Docker testing docs). (#19336)

Improved Documentation

• Remove docs on legacy metric names (no longer in the codebase since 2022-12-06). (#19341)
• Clarify how the estimated value of room complexity is calculated internally. (#19384)

Internal Changes

• Add an internal cancel_task API to the task scheduler. (#19310)
• Tweak docstrings and signatures of auth_types_for_event and get_catchup_room_event_ids. (#19320)
• Replace usage of deprecated assertEquals with assertEqual in unit test code. (#19345)
• Drop support for Ubuntu 25.04 'Plucky Puffin', add support for Ubuntu 25.10 'Questing Quokka'. (#19348)
• Revert "Add an Admin API endpoint for listing quarantined media (#19268)". (#19351)
• Bump mdbook from 0.4.17 to 0.5.2 and remove our custom table-of-contents plugin in favour of the new default functionality. (#19356)
• Replace deprecated usage of PyGitHub's GitRelease.title with .name in release script. (#19358)
• Update the Element logo in Synapse's README to be an absolute URL, allowing it to render on other sites (such as PyPI). (#19368)
• Apply minor tweaks to v1.145.0 changelog. (#19376)
• Update Grafana dashboard syntax to use the latest from importing/exporting with Grafana 12.3.1. (#19381)
• Warn about skipping reactor metrics when using unknown reactor type. (#19383)
• Add support for reactor metrics with the ProxiedReactor used in worker Complement tests. (#19385)

v1.146.0rc1

Synapse 1.146.0rc1 (2026-01-20)

Deprecations and Removals

• MSC2697 (Dehydrated devices) has been removed, as the MSC is closed. Developers should migrate to MSC3814. (#19346)
• Support for Ubuntu 25.04 (Plucky Puffin) has been dropped. Synapse no longer builds debian packages for Ubuntu 25.04.

Features

• Add a new config option enable_local_media_storage which controls whether media is additionally stored locally when using configured media_storage_providers. Setting this to false allows off-site media storage without a local cache. Contributed by Patrice Brend'amour @dr.allgood. (#19204)
• Stabilise support for MSC4312's m.oauth User-Interactive Auth stage for resetting cross-signing identity with the OAuth 2.0 API. The old, unstable name (org.matrix.cross_signing_reset) is now deprecated and will be removed in a future release. (#19273)
• Refactor Grafana dashboard to use server_name label (instead of instance). (#19337)

Bugfixes

• Fix joining a restricted v12 room locally when no local room creator is present but local users with sufficient power levels are. Contributed by @nexy7574. (#19321)
• Fixed parallel calls to /_matrix/media/v1/create being ratelimited for appservices even if rate_limited: false was set in the registration. Contributed by @tulir @ Beeper. (#19335)
• Fix a bug introduced in 1.61.0 where a user's membership in a room was accidentally ignored when considering access to historical state events in rooms with the "shared" history visibility. Contributed by Lukas Tautz. (#19353)
• MSC4140: Store the JSON content of scheduled delayed events as text instead of a byte array. This fixes the inability to schedule a delayed event with non-ASCII characters in its content. (#19360)
• Always rollback database transactions when retrying (avoid orphaned connections). (#19372)
• Fix InFlightGauge typing to allow upgrading to prometheus_client 0.24. (#19379)

Updates to the Docker image

• Add Prometheus HTTP service discovery endpoint for easy discovery of all workers when using the docker/Dockerfile-workers image (see the Metrics section of our Docker testing docs). (#19336)

Improved Documentation

• Remove docs on legacy metric names (no longer in the codebase since 2022-12-06). (#19341)
• Clarify how the estimated value of room complexity is calculated internally. (#19384)

Internal Changes

• Add an internal cancel_task API to the task scheduler. (#19310)
• Tweak docstrings and signatures of auth_types_for_event and get_catchup_room_event_ids. (#19320)
• Replace usage of deprecated assertEquals with assertEqual in unit test code. (#19345)
• Drop support for Ubuntu 25.04 'Plucky Puffin', add support for Ubuntu 25.10 'Questing Quokka'. (#19348)
• Revert "Add an Admin API endpoint for listing quarantined media (#19268)". (#19351)
• Bump mdbook from 0.4.17 to 0.5.2 and remove our custom table-of-contents plugin in favour of the new default functionality. (#19356)
• Replace deprecated usage of PyGitHub's GitRelease.title with .name in release script. (#19358)
• Update the Element logo in Synapse's README to be an absolute URL, allowing it to render on other sites (such as PyPI). (#19368)
• Apply minor tweaks to v1.145.0 changelog. (#19376)
• Update Grafana dashboard syntax to use the latest from importing/exporting with Grafana 12.3.1. (#19381)
• Warn about skipping reactor metrics when using unknown reactor type. (#19383)
• Add support for reactor metrics with the ProxiedReactor used in worker Complement tests. (#19385)

v1.145.0

Synapse 1.145.0 (2026-01-13)

No significant changes since 1.145.0rc4.

End of Life of Ubuntu 25.04 Plucky Puffin

Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will stop building packages for Ubuntu 25.04 shortly thereafter.

Updates to Locked Dependencies No Longer Included in Changelog

The "Updates to locked dependencies" section has been removed from the changelog due to lack of use and the maintenance burden. (#19254)

Synapse 1.145.0rc4 (2026-01-08)

No significant changes since 1.145.0rc3.

This RC contains a fix specifically for openSUSE packaging and no other changes.

Synapse 1.145.0rc3 (2026-01-07)

No significant changes since 1.145.0rc2.

This RC strips out unnecessary files from the wheels that were added when fixing the source distribution packaging in the previous RC.

Synapse 1.145.0rc2 (2026-01-07)

No significant changes since 1.145.0rc1.

This RC fixes the source distribution packaging for uploading to PyPI.

Synapse 1.145.0rc1 (2026-01-06)

Features

• Add memberships endpoint to the admin API. This is useful for forensics and T&S purposes. (#19260)
• Server admins can bypass the quarantine media check when downloading media by setting the admin_unsafely_bypass_quarantine query parameter to true on Client-Server API media download requests. (#19275)
• Implemented pagination for the MSC2666 mutual rooms endpoint. Contributed by @tulir @ Beeper. (#19279)
• Admin API: add worker support to GET /_synapse/admin/v2/users/<user_id>. (#19281)
• Improve proxy support for the federation_client.py dev script. Contributed by Denis Kasak (@dkasak). (#19300)

Bugfixes

• Fix sliding sync performance slow down for long lived connections. (#19206)
• Fix a bug where Mastodon posts (and possibly other embeds) have the wrong description for URL previews. (#19231)
• Fix bug where Duration was logged incorrectly. (#19267)
• Fix bug introduced in 1.143.0 that broke support for versions of zope-interface older than 6.2. (#19274)
• Transform events with client metadata before serialising in /event response. (#19340)

Updates to the Docker image

• Add a way to expose metrics from the Docker image (SYNAPSE_ENABLE_METRICS). (#19324)

Improved Documentation

• Document the importance of public_baseurl when configuring OpenID Connect authentication. (#19270)

Deprecations and Removals

• Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will stop building packages for Ubuntu 25.04 shortly thereafter.
• Remove the "Updates to locked dependencies" section from the changelog due to lack of use and the maintenance burden. (#19254)

Internal Changes

• Group together dependabot update PRs to reduce the review load. (#18402)
• Fix HomeServer.shutdown() failing if the homeserver hasn't been setup yet. (#19187)
• Respond with useful error codes with Content-Length header/s are invalid. (#19212)
• Fix HomeServer.shutdown() failing if the homeserver failed to start. (#19232)
• Switch the build backend from poetry-core to maturin. (#19234)
• Raise the limit for concurrently-open non-security @dependabot PRs from 5 to 10. (#19253)
• Require 14 days to pass before pulling in general dependency updates to help mitigate upstream supply chain attacks. (#19258)
• Drop the broken netlify documentation workflow until a new one is implemented. (#19262)
• Don't include debug logs in Clock unless explicitly enabled. (#19278)
• Use uv to test olddeps to ensure all transitive dependencies use minimum versions. (#19289)
• Add a config to be able to rate limit search in the user directory. (#19291)
• Log the original bind exception when encountering Failed to listen on 0.0.0.0, continuing because listening on [::]. (#19297)
• Unpin the version of Rust we use to build Synapse wheels (was 1.82.0) now that MacOS support has been dropped. (#19302)
• Make it more clear how shared_extra_conf is combined in our Docker configuration scripts. (#19323)
• Update CI to stream Complement progress and format logs in a separate step after all tests are done. (#19326)
• Format .github/workflows/tests.yml. (#19327)

v1.145.0rc4

Synapse 1.145.0rc4 (2026-01-08)

No significant changes since 1.145.0rc3.

This RC contains a fix specifically for openSUSE packaging and no other changes.