CVE-2026-45057

MEDIUM4.9

Incomplete message edit validation in matrix-sdk-ui

Published: 6/4/2026Modified: 6/4/2026

Also known as:GHSA-h97m-27fx-42rxRUSTSEC-2026-0158

Description

The message edit validation logic in the matrix-sdk-ui crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator (or an actor with equivalent power) to impersonate or spoof messages as if they were sent by a victim user.

Affected packages (2)

crates.io/matrix-sdk-uifrom 0, < 0.16.1
crates.io/matrix-sdk-ui>= 0.0.0-0, < 0.16.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References (6)

PATCHhttps://crates.io/crates/matrix-sdk-ui
PATCHhttps://github.com/matrix-org/matrix-rust-sdk
WEBhttps://github.com/matrix-org/matrix-rust-sdk/pull/6454
WEBhttps://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-0.16.1
WEBhttps://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-h97m-27fx-42rx
WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0158.html