CVE-2022-36009 is a vulnerability classified under CWE-863 (Incorrect Authorization) affecting the gomatrixserverlib, a Go library used for Matrix protocol federation, and specifically impacting Dendrite, a Matrix homeserver implementation written in Go. The issue arises from improper parsing of the "events_default" key within the "m.room.power_levels" event. Power levels in Matrix define user permissions and access control within chat rooms. The vulnerability causes the power level parser to default the "events_default" power level to zero regardless of its actual configured value. This misinterpretation leads to incorrect authorization decisions by Dendrite servers: events that should be authorized may be rejected, or unauthorized events may be accepted. The impact is limited to rooms where the "events_default" power level has been customized from the default zero value; rooms with default settings are not vulnerable. The flaw was corrected in gomatrixserverlib as of commit 723fd49 and in Dendrite version 0.9.3. No known workarounds exist, so upgrading to patched versions is essential. There are no reports of active exploitation in the wild. The vulnerability affects versions of Dendrite prior to 0.9.3 and gomatrixserverlib versions before the specified commit. Since this is an authorization flaw, it can potentially allow unauthorized actions or deny legitimate actions within affected Matrix rooms, impacting confidentiality and integrity of communications and potentially availability if legitimate events are blocked.

For European organizations using Dendrite-based Matrix homeservers or any services relying on gomatrixserverlib for federation, this vulnerability could lead to unauthorized access or denial of legitimate actions within Matrix chat rooms. This may result in unauthorized message posting, event manipulation, or disruption of communication channels, affecting confidentiality, integrity, and availability of sensitive organizational communications. Given the increasing adoption of Matrix for secure collaboration in sectors such as government, finance, and critical infrastructure in Europe, exploitation could undermine trust in internal and inter-organizational communications. However, the impact is somewhat mitigated by the requirement that the affected rooms have customized "events_default" power levels, which may limit the scope. Since no authentication bypass is explicitly mentioned, and the flaw relates to event authorization within rooms, attackers would likely need some level of access to the Matrix environment. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially for organizations with high-value targets or sensitive communications. Disruptions or unauthorized actions in communication platforms can have cascading effects on operational security and incident response capabilities.

1. Immediate upgrade of all Dendrite homeservers to version 0.9.3 or later, and gomatrixserverlib to versions including commit 723fd49 or later, to ensure the fix is applied. 2. Conduct an audit of Matrix rooms to identify those with customized "events_default" power levels and prioritize their monitoring and review. 3. Implement enhanced logging and monitoring of Matrix server event authorization decisions to detect anomalies potentially related to this vulnerability. 4. Restrict administrative access to Matrix homeservers and federation components to trusted personnel only, minimizing risk of exploitation. 5. For organizations using custom or forked versions of gomatrixserverlib or Dendrite, ensure backporting of the fix or equivalent patching is performed. 6. Engage in regular security reviews of Matrix server configurations and power level settings to avoid misconfigurations that could exacerbate authorization issues. 7. Consider deploying network segmentation and access controls around Matrix infrastructure to limit exposure. 8. Stay informed on updates from matrix-org and community advisories for any emerging exploits or additional patches.