Reported

June 3, 2026

Issued

June 4, 2026

Package

matrix-sdk-ui (crates.io)

Type

Vulnerability

Aliases

• GHSA-h97m-27fx-42rx
• CVE-2026-45057

References

• https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-h97m-27fx-42rx

CVSS Score

4.9 MEDIUM

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Patched

• >=0.16.1

Description

The message edit validation logic in the matrix-sdk-ui crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator (or an actor with equivalent power) to impersonate or spoof messages as if they were sent by a victim user.

Advisory available under CC0-1.0 license.