CVE-2021-39163

Matrix is an ecosystem for open federated Instant Messaging and Voice over
IP. In versions 1.41.0 and prior, unauthorised users can access the name,
avatar, topic and number of members of a room if they know the ID of the
room. This vulnerability is limited to homeservers where the vulnerable
homeserver is in the room and untrusted users are permitted to create
groups (communities). By default, only homeserver administrators can create
groups. However, homeserver administrators can already access this
information in the database or using the admin API. As a result, only
homeservers where the configuration setting enable_group_creation has
been set to true are impacted. Server administrators should upgrade to
1.41.1 or higher to patch the vulnerability. There are two potential
workarounds. Server administrators can set enable_group_creation to
false in their homeserver configuration (this is the default value) to
prevent creation of groups by non-administrators. Administrators that are
using a reverse proxy could, with partial loss of group functionality,
block the endpoints /_matrix/client/r0/groups/{group_id}/rooms and
/_matrix/client/unstable/groups/{group_id}/rooms.