High

Deficient state resolution in Matrix before 1.16

IdentifiersCVE-2025-49090CWE-670

CVE-2025-49090 affects the Matrix specification before version 1.16. According to the provided content, Matrix deployments using a room version before 12 and State Resolution before 2.1 are affected by deficient state resolution. This indicates a flaw in how Matrix resolves conflicting room state across events/servers under older room-version and state-resolution rules. The provided material does not include function-level or implementation-level details beyond identifying the issue as deficient state resolution in the specification.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The provided content does not describe the full technical impact in detail. Based on the description, exploitation would allow an attacker to abuse flaws in Matrix state resolution semantics in affected room versions, potentially causing inconsistent or incorrect room state handling across federated participants. The precise downstream effects are not specified in the available information.

Mitigation

If you can’t patch tonight, do this now.

Until full remediation is completed, reduce exposure by avoiding creation or continued use of rooms on vulnerable room versions, prioritizing upgrades of homeserver implementations that still rely on pre-1.16 specification behavior, and monitoring for anomalous room-state inconsistencies in federated environments. If migration controls exist, prefer room versions that use State Resolution 2.1 or later.

Remediation

Patch, then assume compromise.

Upgrade to Matrix specification version 1.16 or later, and use room version 12 with State Resolution 2.1 or later, as the issue affects Matrix before 1.16 and room versions before 12. Where possible, migrate existing rooms and server implementations away from affected room/state-resolution versions.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyber security newsNews

May 22, 2026

Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Matrix platform vulnerability referenced in the campaign indicators.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-49090

NVD

nvd.nist.gov/vuln/detail/CVE-2025-49090

MITRE CWE · CWE-670

cwe.mitre.org

github.com

github.com/Nheko-Reborn/nheko/issues/1931

github.com

github.com/matrix-org/matrix-spec/releases/tag/v1.16

matrix.org

matrix.org/blog/2025/08/project-hydra-improving-state-res

matrix.org

matrix.org/blog/2025/08/security-release