Skip to main content

matrix-sdk-ui CVE-2026-45057

MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-04 https://github.com/matrix-org/matrix-rust-sdk GHSA-h97m-27fx-42rx
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 04, 2026 - 15:24 vuln.today
Analysis Generated
Jun 04, 2026 - 15:24 vuln.today

DescriptionGitHub Advisory

Impact

The message edit validation logic in the matrix-sdk-ui crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator (or an actor with equivalent power) to impersonate or spoof messages as if they were sent by a victim user.

Patches

matrix-sdk-ui 0.16.1 fixes the message edit validation logic to align with the algorithm for replacement events[^1] described in the Matrix specification.

Workarounds

N/A

References

  • Pull request: https://github.com/matrix-org/matrix-rust-sdk/pull/6454

For more information

If you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).

[^1]: https://spec.matrix.org/unstable/client-server-api/#validity-of-replacement-events

AnalysisAI

Message spoofing in matrix-sdk-ui before 0.16.1 allows an authenticated homeserver administrator to impersonate any user on that server by injecting unencrypted replacement events targeting encrypted original messages. The edit validation logic in the Rust crate's matrix-sdk-ui component omits the check that a replacement (edit) event for an encrypted original must itself also be encrypted, violating the Matrix specification's replacement event validity algorithm. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the integrity impact is high against affected clients that trust a malicious or compromised homeserver.

Technical ContextAI

The Matrix protocol allows users to edit previously sent messages by sending a replacement event - a new event with an m.relates_to relation of type m.replace referencing the original event's ID. The Matrix specification (https://spec.matrix.org/v1.17/client-server-api/#validity-of-replacement-events) requires that if the original event was encrypted (e.g., via Megolm in an end-to-end encrypted room), the replacement event must also be encrypted. The affected package, pkg:rust/matrix-sdk-ui versions before 0.16.1, failed to enforce this invariant. CWE-345 (Insufficient Verification of Data Authenticity) is the root cause: the SDK accepted an unencrypted replacement as valid for an encrypted original without authenticating that the replacement carried equivalent encryption guarantees. The PR diff confirms the fix introduced a new ReplacementNotEncrypted error variant and a check_validity_of_replacement_events function in matrix-sdk-common/src/edit_validation.rs that now enforces encryption parity between original and replacement events.

RemediationAI

Upgrade matrix-sdk-ui to version 0.16.1 or later, which introduces proper validation of replacement event encryption parity per the Matrix specification. The patched release is available at https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-0.16.1 and the fix is detailed in pull request https://github.com/matrix-org/matrix-rust-sdk/pull/6454. The vendor advisory at https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-h97m-27fx-42rx confirms no workaround is available - the only remediation is upgrading the crate. Projects using cargo should update their Cargo.toml dependency to matrix-sdk-ui = ">=0.16.1" and run cargo update to pull the fixed version. Since the vulnerability requires homeserver-level access, organizations operating in high-trust or isolated homeserver environments may assess residual risk as lower, but upgrading remains the definitive fix with no noted side effects.

Share

CVE-2026-45057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy