Description
continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9.
Published: 2026-02-02
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Event Signing
Action: Apply Patch
AI Analysis

Impact

This flaw allows a malicious remote server to compel a local Matrix homeserver to sign arbitrary events when a user interacts with rooms. The server blindly trusts data from the remote server, missing validation of critical fields such as origin, initiation timestamps, and membership content. As a result, an attacker can forge signed events that appear to originate from legitimate users, potentially enabling unauthorized actions such as membership manipulation or replay attacks. The weakness is a classic Confused‑Deputy scenario (CWE‑441).

Affected Systems

Vulnerable servers include all Conduit‑derived homeservers written in Rust, such as continuwuity, Conduit, Grapevine, and Tuwunel. Affected versions are prior to continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9.

Risk and Exploitability

The severity score of 9.3 indicates critical impact for affected deployments. Exploitability probability, as measured by EPSS, is less than 1‑percent, suggesting low likelihood of widespread attacks but not zero; attackers would need to run a malicious server and convince victims to join, leave, or knock on rooms. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, but the high CVSS and potential loss of integrity make proactive mitigation essential.

Generated by OpenCVE AI on April 18, 2026 at 00:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update continuwuity to version 0.5.1 or later, Conduit to 0.10.11, Grapevine to commit 0aae932b, or Tuwunel to 1.4.9
  • Configure the homeserver to refuse assistance requests from unknown or untrusted remote servers by restricting the domain whitelist to trusted domains only
  • Audit and enforce strict validation of all event fields received from remote servers, ensuring origin, timestamp, and membership content are locally generated or cross‑checked before signing

Generated by OpenCVE AI on April 18, 2026 at 00:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Conduit
Conduit conduit
Continuwuity
Continuwuity continuwuity
Vendors & Products Conduit
Conduit conduit
Continuwuity
Continuwuity continuwuity

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9.
Title Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary ('Confused Deputy')
Weaknesses CWE-441
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H'}

Subscriptions

Conduit Conduit
Continuwuity Continuwuity
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T14:53:20.068Z

Reserved: 2026-01-23T00:38:20.547Z

Link: CVE-2026-24471

cve-icon Vulnrichment

Updated: 2026-02-03T14:53:14.672Z

cve-icon NVD

Status : Deferred

Published: 2026-02-02T23:16:08.270

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses