VYPR
Moderate severityNVD Advisory· Published Jun 4, 2026

Matrix Rust SDK: Sender-binding gaps in to-device and room-key attribution

CVE-2026-45056

Description

Impact

The matrix-sdk-crypto crate before 0.16.1 is missing a check for the sender's user ID when decrypting an Olm-encrypted to-device message containing the sender_device_keys property.

This could be exploited to spoof the sender of an encrypted to-device message, but only if the attacker colludes with (or is) the homeserver operator.

Patches

This issue is fixed in matrix-sdk-crypto 0.16.1.

Workarounds

There are no known workarounds for the issue.

References

This issue was fixed in https://github.com/matrix-org/matrix-rust-sdk/pull/6553.

For more information

If you have any questions or comments about this advisory, please email us at security at matrix.org.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
matrix-sdk-cryptocrates.io
>= 0.12.0, < 0.16.10.16.1

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.