HIGH 8.6
PYSEC-2026-842
When matrix-nio receives forwarded room keys, the receiver doesn't check if it requested the key from the forwarder
Details
When matrix-nio before 0.20 requests a room key from our devices, it correctly accepts key forwards only if they are a response to a previous request. However, it doesn't check that the device that responded matches the device the key was requested from.
This allows a malicious homeserver to insert room keys of questionable validity into the key store in some situations, potentially assisting in an impersonation attack.
### For more information If you have any questions or comments about this advisory, e-mail us at [poljar@termina.org.uk](mailto:poljar@termina.org.uk).
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2022-39254 [ADVISORY]
- https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0 [WEB]
- https://github.com/poljar/matrix-nio [PACKAGE]
- https://pypi.org/project/matrix-nio [PACKAGE]
- https://github.com/advisories/GHSA-w4pr-4vjg-hffh [ADVISORY]