Matrix Client Vulnerability in Cinny Affects User Access Tokens
CVE-2026-42553

7.1HIGH

Key Information:

Vendor: Cinnyapp
Status: Cinny
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42553?

Prior to version 4.10.3, Cinny, a Matrix client, was susceptible to a vulnerability that allowed remote authenticated attackers to exploit the emoji picker feature. When a victim accessed the emoji or sticker picker within a room containing a malicious emote pack, the attack could lead to the unintended transmission of the user's Matrix access token to an attacker-controlled server. This vulnerability stemmed from improper handling of user-controlled avatar metadata and deficiencies in validating URLs, creating a vector for unauthorized access. The introduction of version 4.10.3 addresses these security lapses, making it essential for users to update their applications immediately.

Affected Version(s)

cinny < 4.10.3

References

https://github.com/cinnyapp/cinny/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/cinnyapp/cinny/releases/tag/v4.10.3

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42553 Data

JSON

Cinnyapp

What is CVE-2026-42553?

Affected Version(s)

References

CVSS V4

Timeline