PatchSiren cyber security CVE debrief

CVE-2026-42553 cinnyapp CVE debrief

## Summary A remote authenticated attacker with room emote creation permissions can steal Matrix access tokens from Cinny client users. The attack requires the victim to open the emoji/sticker picker in a room containing a malicious emote pack. The vulnerability stems from two flaws: (1) improper validation of `pack.meta.avatar` URLs in `EmojiBoard`, allowing arbitrary HTTP(S) URLs instead of restricted MXC URLs; and (2) a service worker that attaches the user's `Authorization` bearer token to outbound GET requests matching `/_matrix/client/v1/media/download` or `/_matrix/client/v1/media/thumbnail` path patterns without verifying the request host matches the configured homeserver. An attacker-controlled server with permissive CORS can receive the victim's access token. ## Affected Product - **Product:** Cinny (Matrix client) - **Affected Versions:** Prior to 4.10.3 - **Fixed Version:** 4.10.3 ## Attack Prerequisites - Attacker must share a room with the victim (e.g., direct message) - Attacker must have permissions to create room emotes - Victim must open the emoji or sticker picker in the compromised room - Attacker-controlled server must implement permissive CORS to receive the token ## Impact Successful exploitation allows the attacker to obtain the victim's Matrix access token, enabling impersonation of the victim and unauthorized access to their Matrix account. CVSS 4.0 score: 7.1 (HIGH). ## Recommended Actions 1. **Immediate:** Upgrade Cinny to version 4.10.3 or later 2. **Verification:** Confirm installed version is ≥4.10.3 via application settings or package manager 3. **Monitoring:** Review Matrix account access logs for unauthorized sessions if exploitation is suspected 4. **Rotation:** If compromise is suspected, rotate Matrix access tokens and review active sessions ## References - CVE Record: CVE-2026-42553 - NVD Entry: CVE-2026-42553 - GitHub Security Advisory: GHSA-j944-w549-3453 - Release Notes: Cinny v4.10.3