From 50cc4f4bb6fa3c031015bf4e3f3f2a981ca8463e Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Thu, 14 Sep 2023 21:29:15 -0600
Subject: [PATCH] Mention newly created security issue

---
 proposals/4056-role-based-access-control.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/proposals/4056-role-based-access-control.md b/proposals/4056-role-based-access-control.md
index a3c2759d..9b9ab105 100644
--- a/proposals/4056-role-based-access-control.md
+++ b/proposals/4056-role-based-access-control.md
@@ -154,6 +154,10 @@ clients don't make use of many theorized alternatives.
 
 **TODO**
 
+If `m.role_map` uses a role ID which doesn't exist and assigns users to it, those users will never be able
+to send events because the `auth_events` will never be complete. This needs to be fixed before this MSC
+enters FCP, at least for `m.room.member` and similar power events.
+
 ## Unstable prefix
 
 While this proposal is not incorporated into a stable room version, implementations should use `org.matrix.msc4056`