v1.151.0

Synapse 1.151.0 (2026-04-07)

Bugfixes

• Fix KNOWN_ROOM_VERSIONS.__contains__ raising TypeError for non-string keys, which could cause /sync to fail for rooms with a NULL room version in the database. Bug introduced in #19589 as part of v1.151.0rc1. (#19649)

Synapse 1.151.0rc1 (2026-03-31)

Features

• Add stable support for MSC4284 Policy Servers. (#19503)
• Update and stabilize support for MSC2666: Get rooms in common with another user. Contributed by @tulir @ Beeper. (#19511)
• Updated experimental support for MSC4388: Secure out-of-band channel for sign in with QR. (#19573)
• Stabilize room_version and encryption fields in the space/room /hierarchy API (part of MSC3266). (#19576)
• Introduce a configuration option to allow using HTTP/2 over plaintext when Synapse connects to Matrix Authentication Service. (#19586)

Bugfixes

• Fix MSC4284 Policy Servers implementation to skip signing org.matrix.msc4284.policy and m.room.policy state events. (#19503)
• Correctly apply MSC4284 Policy Server signatures to events when the sender and policy server have the same server name. (#19503)
• Allow Synapse to start up even when discovery fails for an OpenID Connect provider. (#19509)
• Fix quarantine media admin APIs sometimes returning inaccurate counts for remote media. (#19559)
• Fix Build and push complement image CI job not having poetry available for the Complement runner script. (#19578)
• Increase timeout for policy server requests to avoid repeated requests for checking media. (#19629)

Deprecations and Removals

• Remove support for MSC3852: Expose user agent information on Device as the MSC was closed. (#19430)

Internal Changes

• Fix small comment typo in config output from the demo/start.sh script. (#19538)
• Add MSC3820 comment context to RoomVersion attributes. (#19577)
• Remove redacted_because from internal unsigned. (#19581)
• Prevent sending registration emails if registration is disabled. (#19585)
• Port RoomVersion to Rust. (#19589)
• Only show failing Complement tests in the formatted output in CI. (#19590)
• Ensure old Complement test files are removed when downloading a Complement checkout via ./scripts-dev/complement.sh. (#19592)
• Update HomeserverTestCase.pump() docstring to demystify behavior (Twisted reactor/clock). (#19602)
• Deprecate HomeserverTestCase.pump() in favor of more direct HomeserverTestCase.reactor.advance(...) usage. (#19602)
• Lower the Postgres database statement_timeout to 10m (previously 1h). (#19604)

v1.151.0rc1

Synapse 1.151.0rc1 (2026-03-31)

Features

• Add stable support for MSC4284 Policy Servers. (#19503)
• Update and stabilize support for MSC2666: Get rooms in common with another user. Contributed by @tulir @ Beeper. (#19511)
• Updated experimental support for MSC4388: Secure out-of-band channel for sign in with QR. (#19573)
• Stabilize room_version and encryption fields in the space/room /hierarchy API (part of MSC3266). (#19576)
• Introduce a configuration option to allow using HTTP/2 over plaintext when Synapse connects to Matrix Authentication Service. (#19586)

Bugfixes

• Fix MSC4284 Policy Servers implementation to skip signing org.matrix.msc4284.policy and m.room.policy state events. (#19503)
• Correctly apply MSC4284 Policy Server signatures to events when the sender and policy server have the same server name. (#19503)
• Allow Synapse to start up even when discovery fails for an OpenID Connect provider. (#19509)
• Fix quarantine media admin APIs sometimes returning inaccurate counts for remote media. (#19559)
• Fix Build and push complement image CI job not having poetry available for the Complement runner script. (#19578)
• Increase timeout for policy server requests to avoid repeated requests for checking media. (#19629)

Deprecations and Removals

• Remove support for MSC3852: Expose user agent information on Device as the MSC was closed. (#19430)

Internal Changes

• Fix small comment typo in config output from the demo/start.sh script. (#19538)
• Add MSC3820 comment context to RoomVersion attributes. (#19577)
• Remove redacted_because from internal unsigned. (#19581)
• Prevent sending registration emails if registration is disabled. (#19585)
• Port RoomVersion to Rust. (#19589)
• Only show failing Complement tests in the formatted output in CI. (#19590)
• Ensure old Complement test files are removed when downloading a Complement checkout via ./scripts-dev/complement.sh. (#19592)
• Update HomeserverTestCase.pump() docstring to demystify behavior (Twisted reactor/clock). (#19602)
• Deprecate HomeserverTestCase.pump() in favor of more direct HomeserverTestCase.reactor.advance(...) usage. (#19602)
• Lower the Postgres database statement_timeout to 10m (previously 1h). (#19604)

v1.150.0

Synapse 1.150.0 (2026-03-24)

No significant changes since 1.150.0rc1.

Upgrade notes

Please read the upgrade notes as this release includes a few changes that may affect your deployment.

Synapse 1.150.0rc1 (2026-03-17)

Features

• Add experimental support for the MSC4370 Federation API GET /extremities endpoint. (#19314)
• MSC4140: Cancellable delayed events: When persisting a delayed event to the timeline, include its delay_id in the event's unsigned section in /sync responses to the event sender. (#19479)
• Expose MSC4354 Sticky Events over the legacy (v3) /sync API. (#19487)
• When Matrix Authentication Service (MAS) integration is enabled, allow MAS to set the user locked status in Synapse. (#19554)

Bugfixes

• Fix Build and push complement image CI job pointing to non-existent image. (#19523)
• Fix a bug introduced in v1.26.0 that caused deactivated, erased users to not be removed from the user directory. (#19542)

Improved Documentation

• In the Admin API documentation, always express path parameters as /<param> instead of as /$param. (#19307)
• Update docs to clarify outbound_federation_restricted_to can also be used with the Secure Border Gateway (SBG). (#19517)
• Unify Complement developer docs. (#19518)

Internal Changes

• Put membership updates in a background resumable task when changing the avatar or the display name. (#19311)
• Add in-repo Complement test to sanity check Synapse version matches git checkout (testing what we think we are). (#19476)
• Migrate dev dependencies to PEP 735 dependency groups. (#19490)
• Remove the optional systemd-python dependency and the systemd extra on the synapse package. (#19491)
• Avoid re-computing the event ID when cloning events. (#19527)
• Allow caching of the /versions and /auth_metadata public endpoints. (#19530)
• Add a few labels to the number groupings in the Processed request logs. (#19548)

v1.150.0rc1

Synapse 1.150.0rc1 (2026-03-17)

Features

• Add experimental support for the MSC4370 Federation API GET /extremities endpoint. (#19314)
• MSC4140: Cancellable delayed events: When persisting a delayed event to the timeline, include its delay_id in the event's unsigned section in /sync responses to the event sender. (#19479)
• Expose MSC4354 Sticky Events over the legacy (v3) /sync API. (#19487)
• When Matrix Authentication Service (MAS) integration is enabled, allow MAS to set the user locked status in Synapse. (#19554)

Bugfixes

• Fix Build and push complement image CI job pointing to non-existent image. (#19523)
• Fix a bug introduced in v1.26.0 that caused deactivated, erased users to not be removed from the user directory. (#19542)

Improved Documentation

• In the Admin API documentation, always express path parameters as /<param> instead of as /$param. (#19307)
• Update docs to clarify outbound_federation_restricted_to can also be used with the Secure Border Gateway (SBG). (#19517)
• Unify Complement developer docs. (#19518)

Internal Changes

• Put membership updates in a background resumable task when changing the avatar or the display name. (#19311)
• Add in-repo Complement test to sanity check Synapse version matches git checkout (testing what we think we are). (#19476)
• Migrate dev dependencies to PEP 735 dependency groups. (#19490)
• Remove the optional systemd-python dependency and the systemd extra on the synapse package. (#19491)
• Avoid re-computing the event ID when cloning events. (#19527)
• Allow caching of the /versions and /auth_metadata public endpoints. (#19530)
• Add a few labels to the number groupings in the Processed request logs. (#19548)

v1.149.1

Synapse 1.149.1 (2026-03-11)

Internal Changes

• Bump matrix-synapse-ldap3 to 0.4.0 to support setuptools>=82.0.0. Fixes #19541. (#19543)

v1.149.0

Synapse 1.149.0 (2026-03-10)

No significant changes since 1.149.0rc1.

Synapse 1.149.0rc1 (2026-03-03)

Features

• Add experimental support for MSC4388: Secure out-of-band channel for sign in with QR. (#19127)
• Add stable support for MSC4380 invite blocking. (#19431)

Bugfixes

• Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token. (#18518)
• Fix /sync missing membership event in state_after (experimental MSC4222 implementation) in some scenarios. (#19460)

Internal Changes

• Add log to explain when and why we freeze objects in the garbage collector. (#19440)
• Better instrument JoinRoomAliasServlet with tracing. (#19461)
• Fix Complement CI not running against the code from our PRs. (#19475)
• Log docker system info in CI so we have a plain record of how GitHub runners evolve over time. (#19480)
• Rename the test_disconnect test helper so that pytest doesn't see it as a test. (#19486)
• Add a log line when we delete devices. Contributed by @bradtgmurray @ Beeper. (#19496)
• Pre-allocate the buffer based on the expected Content-Length with the Rust HTTP client. (#19498)
• Cancel long-running sync requests if the client has gone away. (#19499)
• Try and reduce reactor tick times when under heavy load. (#19507)
• Simplify Rust HTTP client response streaming and limiting. (#19510)
• Replace deprecated collection import locations with current locations. (#19515)
• Bump most locked Python dependencies to their latest versions. (#19519)

v1.149.0rc1

Synapse 1.149.0rc1 (2026-03-03)

Features

• Add experimental support for MSC4388: Secure out-of-band channel for sign in with QR. (#19127)
• Add stable support for MSC4380 invite blocking. (#19431)

Bugfixes

• Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token. (#18518)
• Fix /sync missing membership event in state_after (experimental MSC4222 implementation) in some scenarios. (#19460)

Internal Changes

• Add log to explain when and why we freeze objects in the garbage collector. (#19440)
• Better instrument JoinRoomAliasServlet with tracing. (#19461)
• Fix Complement CI not running against the code from our PRs. (#19475)
• Log docker system info in CI so we have a plain record of how GitHub runners evolve over time. (#19480)
• Rename the test_disconnect test helper so that pytest doesn't see it as a test. (#19486)
• Add a log line when we delete devices. Contributed by @bradtgmurray @ Beeper. (#19496)
• Pre-allocate the buffer based on the expected Content-Length with the Rust HTTP client. (#19498)
• Cancel long-running sync requests if the client has gone away. (#19499)
• Try and reduce reactor tick times when under heavy load. (#19507)
• Simplify Rust HTTP client response streaming and limiting. (#19510)
• Replace deprecated collection import locations with current locations. (#19515)
• Bump most locked Python dependencies to their latest versions. (#19519)

v1.148.0

Synapse 1.148.0 (2026-02-24)

No significant changes since 1.148.0rc1.

Synapse 1.148.0rc1 (2026-02-17)

Features

• Support sending and receiving MSC4354 Sticky Event metadata. (#19365)

Improved Documentation

• Fix reference to the experimental_features section of the configuration manual documentation. (#19435)

Deprecations and Removals

• Remove support for MSC3244: Room version capabilities as the MSC was rejected. (#19429)

Internal Changes

• Add in-repo Complement tests so we can test Synapse specific behavior at an end-to-end level. (#19406)
• Push Synapse docker images to Element OCI Registry. (#19420)
• Allow configuring the Rust HTTP client to use HTTP/2 only. (#19457)
• Correctly refuse to start if the Rust workspace config has changed and the Rust library has not been rebuilt. (#19470)

v1.148.0rc1

Synapse 1.148.0rc1 (2026-02-17)

Features

• Support sending and receiving MSC4354 Sticky Event metadata. (#19365)

Improved Documentation

• Fix reference to the experimental_features section of the configuration manual documentation. (#19435)

Deprecations and Removals

• Remove support for MSC3244: Room version capabilities as the MSC was rejected. (#19429)

Internal Changes

• Add in-repo Complement tests so we can test Synapse specific behavior at an end-to-end level. (#19406)
• Push Synapse docker images to Element OCI Registry. (#19420)
• Allow configuring the Rust HTTP client to use HTTP/2 only. (#19457)
• Correctly refuse to start if the Rust workspace config has changed and the Rust library has not been rebuilt. (#19470)

v1.147.1

Synapse 1.147.1 (2026-02-12)

• Block federation requests and events authenticated using a known insecure signing key. See CVE-2026-24044 / ELEMENTSEC-2025-1670. (#19459)