CVE-2026-42553 is an improper input validation vulnerability (CWE-20) in the Cinny Matrix client before version 4.10.3. An attacker who shares a room with the victim and has permissions to create room emotes can craft a malicious emote pack with a user-controlled avatar URL that is not properly validated as an MXC URL. This allows arbitrary HTTP(S) URLs to be used. When the victim opens the emoji or sticker picker, the client makes requests to attacker-controlled URLs containing specific path fragments. The service worker attaches the victim's Authorization bearer token to all outbound GET requests with URLs containing /_matrix/client/v1/media/download or /_matrix/client/v1/media/thumbnail without verifying the host matches the configured homeserver. Consequently, the attacker-controlled server can receive the victim's access token. The issue is resolved in Cinny version 4.10.3.

An attacker with room sharing and emote creation permissions can cause a victim's Cinny client to leak their Matrix access token to an attacker-controlled server. This token leakage can lead to unauthorized access to the victim's Matrix account. The vulnerability requires the attacker to be authenticated and share a room with the victim, but no user interaction beyond opening the emoji or sticker picker is needed. The CVSS 4.0 score is 7.1 (high severity), reflecting network attack vector, low attack complexity, no privileges required beyond room membership, no user interaction, and high confidentiality impact.

This vulnerability is fixed in Cinny version 4.10.3. Users and administrators should upgrade to version 4.10.3 or later to remediate this issue. No other mitigations are indicated by the vendor advisory. Patch status is not explicitly stated but the fix is included in the specified version update.