MatrixSDK is vulnerable to impersonation via forwarded Megolm sessions. The use of a too permissive key forwarding strategy in MatrixSDK allows an attacker having coordination with a malicious homeserver to construct messages appearing to have come from another person and the default policy for accepting key forwards fails to check if forwarded keys in response to previously issued requests.
github.com/matrix-org/matrix-ios-sdk/commit/5ca86c328a5faaab429c240551cb9ca8f0f6262c
github.com/matrix-org/matrix-ios-sdk/releases/tag/v0.23.19
github.com/matrix-org/matrix-ios-sdk/security/advisories/GHSA-qxr3-5jmq-xcf4
matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients