CVE-2026-45057

MEDIUM4.9

Incomplete message edit validation in matrix-sdk-ui

發布日:2026/6/4修改日:2026/6/4

也稱為:GHSA-h97m-27fx-42rxRUSTSEC-2026-0158

描述

The message edit validation logic in the matrix-sdk-ui crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator (or an actor with equivalent power) to impersonate or spoof messages as if they were sent by a victim user.

受影響套件(2)

crates.io/matrix-sdk-uifrom 0, < 0.16.1
crates.io/matrix-sdk-ui>= 0.0.0-0, < 0.16.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

參考連結(6)

PATCHhttps://crates.io/crates/matrix-sdk-ui
PATCHhttps://github.com/matrix-org/matrix-rust-sdk
WEBhttps://github.com/matrix-org/matrix-rust-sdk/pull/6454
WEBhttps://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-0.16.1
WEBhttps://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-h97m-27fx-42rx
WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0158.html