CVE-2026-24471
Unknown Unknown - Not Provided
Arbitrary Event Signing Vulnerability in Continuwuity Matrix Servers

Publication date: 2026-02-02

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-02
Generated
2026-05-07
AI Q&A
2026-02-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24471
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
continuwuity continuwuity 0.5.1
conduit conduit 0.10.11
grapevine grapevine 0aae932b
tuwunel tuwunel 1.4.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the continuwuity Matrix homeserver and related servers derived from Conduit. An attacker controlling a malicious remote server can trick the victim server into signing an arbitrary event when a user interacts with certain endpoints like leaving a room, joining a room, or knocking on a room. The victim server requests assistance from the attacker's server, which then provides a crafted event that the victim signs and returns. This allows the attacker to obtain signed events that they control, potentially leading to misuse or manipulation of server actions.


How can this vulnerability impact me? :

The vulnerability can allow an attacker to cause your server to sign arbitrary events, which could be used to forge or manipulate actions within the Matrix homeserver environment. This could lead to unauthorized actions appearing legitimate, potentially compromising the integrity of communications or server state. Since it was exploited in a larger attack chain, it poses a significant security risk to affected servers and their users.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update your affected server software to the fixed versions: Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, or Tuwunel 1.4.9. These updates contain the patches that address the vulnerability allowing arbitrary event signing.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart