CVE-2026-45056
Sender-binding gaps in to-device messages
Published: 6/4/2026Modified: 6/4/2026
Description
The matrix-sdk-crypto crate before 0.16.1 is missing a check for the sender's user ID when decrypting an Olm-encrypted to-device message containing the sender_device_keys property. This could be exploited to spoof the sender of an encrypted to-device message, but only if the attacker colludes with (or is) the homeserver operator.
Affected packages (2)
- crates.io/matrix-sdk-crypto>= 0.12.0, < 0.16.1
- crates.io/matrix-sdk-crypto>= 0.12.0, < 0.16.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
References (6)
- PATCHhttps://crates.io/crates/matrix-sdk-crypto
- PATCHhttps://github.com/matrix-org/matrix-rust-sdk
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/pull/6553
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-0.16.1
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-wfq4-36m3-9g42
- WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0159.html