We urge you to update to Monal ≥ 4.9 if you haven’t done it yet.
We discovered a security bug in Monal < 4.9 dubbed CVE-2020-26547:
Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attackerCVE-2020-26547
(able to send stanzas to a victim) to inject arbitrary messages into
the local history, with full control over the sender and receiver displayed
to the victim.
Thilo and Friedrich