VDB
KO
HIGH 8.6

PYSEC-2026-842

When matrix-nio receives forwarded room keys, the receiver doesn't check if it requested the key from the forwarder

Details

When matrix-nio before 0.20 requests a room key from our devices, it correctly accepts key forwards only if they are a response to a previous request. However, it doesn't check that the device that responded matches the device the key was requested from.

This allows a malicious homeserver to insert room keys of questionable validity into the key store in some situations, potentially assisting in an impersonation attack.

### For more information If you have any questions or comments about this advisory, e-mail us at [poljar@termina.org.uk](mailto:poljar@termina.org.uk).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / matrix-nio
Introduced in: 0 Fixed in: 0.20
Fix pip install --upgrade 'matrix-nio>=0.20'

References