Space rooms have no message restrictions by default: moderation blind spot for public spaces

[SpookySkeletons]

When creating a space, Element sets events_default: 0 and doesn't explicitly set m.room.message in the power levels. This means any member of the space can send messages directly into the space room itself via the API, even though no client surfaces these messages in the UI.
MSC1772 explicitly called this out:

"Space-rooms should be created with a power level for events_default of 100, to prevent the rooms accidentally/maliciously clogging up with messages from random members of the space."

This was never implemented. Every space created by Element and possibly many more Matrix clients has this wide open by default.

Why this matters:

I run LVRA (Linux VR Adventures), a public-listed space with 6,000+ members across bridged Matrix and Discord communities. When we were dealing with bot waves hitting the server while publicly open on the instance, we were focused on moderating the visible rooms where bots would dump into and over the discord bridge. It never occurred to us that bots could also be posting directly into the space room itself, because no client shows that timeline. We only found out when two members started chatting by manually querying the messages API in the space room.

The space room is a completely unmonitored channel that any joined member can post into, and moderation tools don't surface it. For any large public space dealing with bot spam or abuse, this is a blind spot that's invisible without API-level inspection. Content could sit in there indefinitely with nobody aware.

Steps to reproduce:

1. Create a space in Element
2. Check the power levels on the space room curl -H "Authorization: Bearer $TOKEN" 'https://matrix-client.matrix.org/_matrix/client/v3/rooms/!yourroomid:matrix.org/state/m.room.power_levels/'
3. Note events_default: 0 and no m.room.message entry — any user at PL 0 can post
4. Confirm messages are invisible in the client UI

Expected behavior:
Space rooms should be created with m.room.message set to 100 (or events_default: 100) per the MSC1772 recommendation, so only admins can post into the space room itself.

Workaround

Manually PUT updated power levels to add "m.room.message": 100 to the events object. Not exactly discoverable for most space admins who shouldn't need to curl the API to close a hole that the original proposal already identified.
I'm currently informing a few more friends who run community servers to tighten this down.

Have you considered any alternatives?

No response

Additional context

No response

[t3chguy]

This was never implemented. Every space created by Element and possibly many more Matrix clients has this wide open by default.

This seems to be patently false.

Screen.Recording.2026-02-24.at.09.14.21.mov

This has been the case since 2021.

Care to share logs or reproduction steps that work?

The only time EW ever overrides events_default is to set it to 100 when creating a space

[SpookySkeletons]

Repro was presumed and presumed for element web after questioning admin who established space self reported their client was element desktop. Checking original power levels when the room was established in 2023 it began with a default of 0 for some reason but it's also possible that the client used here was not element.

Either way somebody was spitting space rooms starting at 0 but it appears to not be element based on the git history presenting. Closing the issue but I will ask around and still see if I can locate the source of this default.