VYPR
Moderate severityNVD Advisory· Published Jun 4, 2026

matrix-sdk-ui: Incomplete edit validation

CVE-2026-45057

Description

Impact

The message edit validation logic in the matrix-sdk-ui crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator (or an actor with equivalent power) to impersonate or spoof messages as if they were sent by a victim user.

Patches

matrix-sdk-ui 0.16.1 fixes the message edit validation logic to align with the algorithm for replacement events[^1] described in the Matrix specification.

Workarounds

N/A

### References * Pull request: https://github.com/matrix-org/matrix-rust-sdk/pull/6454

For more information

If you have any questions or comments about this advisory, please email us at security at matrix.org.

[^1]: https://spec.matrix.org/unstable/client-server-api/#validity-of-replacement-events

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
matrix-sdk-uicrates.io
< 0.16.10.16.1

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.