PT-2026-46305 · Unknown · Matrix-Sdk-Crypto
Published
2026-06-03
·
Updated
2026-06-04
·
CVE-2026-45056
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
matrix-sdk-crypto versions prior to 0.16.1
Description
The
matrix-sdk-crypto crate fails to verify the sender's user ID during the decryption of Olm-encrypted to-device messages that include the sender device keys property. This flaw allows an attacker to spoof the sender of an encrypted to-device message, provided the attacker is the homeserver operator or is colluding with them.Recommendations
Update to version 0.16.1.
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Matrix-Sdk-Crypto