{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cinny/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cinny"],"_cs_severities":["high"],"_cs_tags":["credential-access","web-application","token-theft"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA vulnerability in the Cinny web application allows an attacker to steal a victim\u0026rsquo;s Matrix access token. This occurs when an authenticated attacker who shares a room with a victim and possesses permissions to create room emotes (e.g., in a direct message) injects a malicious emote pack. When the victim opens the emoji or sticker picker for that room, the client sends the victim\u0026rsquo;s Matrix access token to a server controlled by the attacker. This is due to two primary issues: the EmojiBoard component incorrectly uses the untrusted \u003ccode\u003epack.meta.avatar\u003c/code\u003e field without proper MXC URL validation, allowing arbitrary HTTP(S) URLs, and the service worker unconditionally attaches the user\u0026rsquo;s Authorization token to outbound GET requests containing \u003ccode\u003e/_matrix/client/v1/media/download\u003c/code\u003e or \u003ccode\u003e/_matrix/client/v1/media/thumbnail\u003c/code\u003e, without validating the request host. This enables an attacker to receive the victim\u0026rsquo;s access token via an attacker-controlled URL with permissive CORS. This issue affects Cinny web app versions prior to 4.10.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a Matrix server.\u003c/li\u003e\n\u003cli\u003eThe attacker shares a room with the victim (e.g., creates a DM).\u003c/li\u003e\n\u003cli\u003eThe attacker uses their permissions to create a custom emote pack within the shared room.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003epack.meta.avatar\u003c/code\u003e field within the emote pack to a malicious URL containing \u003ccode\u003e/_matrix/client/v1/media/download\u003c/code\u003e and hosted on a server they control.\u003c/li\u003e\n\u003cli\u003eThe victim opens the emoji or sticker picker within the room.\u003c/li\u003e\n\u003cli\u003eThe Cinny client, due to the incorrect fallback in EmojiBoard, uses the attacker-controlled URL from \u003ccode\u003epack.meta.avatar\u003c/code\u003e without proper validation.\u003c/li\u003e\n\u003cli\u003eThe service worker attaches the victim\u0026rsquo;s Authorization header (containing the access token) to the outbound GET request for the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server, configured with permissive CORS, receives the victim\u0026rsquo;s access token via the Authorization header.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to steal a victim\u0026rsquo;s Matrix access token. With the stolen token, the attacker can impersonate the victim, access their private messages, join rooms as the victim, and perform actions on their behalf. The scope of impact is limited to users of the Cinny web application prior to version 4.10.3 who interact with rooms containing malicious emote packs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Cinny version 4.10.3 or later to remediate CVE-2026-42553.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Media Download Request with Authorization Header\u003c/code\u003e to detect potential exploitation attempts by monitoring network connections with Authorization headers to external media download URLs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Arbitrary Avatar URL\u003c/code\u003e to detect potential exploitation attempts by monitoring webserver logs for requests to arbitrary URLs specified as avatars.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T16:40:52Z","date_published":"2026-05-07T16:40:52Z","id":"/briefs/2026-05-cinny-token-disclosure/","summary":"A remote authenticated attacker who shares a room with a victim can steal their Matrix access token by injecting a malicious emote pack, exploiting improper URL validation and service worker behavior in Cinny versions prior to 4.10.3.","title":"Cinny Access Token Disclosure via Malicious Emoji Pack","url":"https://feed.craftedsignal.io/briefs/2026-05-cinny-token-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Cinny","version":"https://jsonfeed.org/version/1.1"}