CVE-2026-24471

N/A Unknown

📋 TL;DR

This vulnerability in Matrix homeserver software allows a malicious remote server to trick a vulnerable server into signing arbitrary events during user interactions like leaving, joining, or knocking on rooms. The attacker can obtain cryptographically signed events that appear legitimate, potentially enabling impersonation or other attacks. All servers derived from Conduit are affected.

💻 Affected Systems

Products:
  • Continuwuity
  • Conduit
  • Grapevine
  • Tuwunel
Versions: All versions before Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Conduit-derived Matrix homeserver implementations. The vulnerability requires interaction with a malicious remote server.

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could obtain signed events that appear legitimate from the victim server, potentially enabling impersonation of users, unauthorized room access, or participation in larger attack chains against federated Matrix networks.

🟠

Likely Case

Malicious server operators in federated Matrix networks could obtain signed events from vulnerable servers, which could be used to impersonate users or facilitate other attacks within the Matrix ecosystem.

🟢

If Mitigated

With proper server isolation and careful federation policies, the impact is limited to interactions with untrusted servers, but the cryptographic signing vulnerability remains exploitable.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the attacker to control a malicious remote server that the victim server interacts with. The vulnerability was exploited as part of a larger attack chain against continuwuity.org.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, Tuwunel 1.4.9

Vendor Advisory: https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v

Restart Required: Yes

Instructions:

1. Stop the Matrix homeserver service. 2. Update to the patched version using your package manager or build from source. 3. Restart the homeserver service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Server Federation

all

Limit federation to trusted servers only to prevent interaction with potentially malicious remote servers.

# Configure in homeserver.yaml or equivalent config file
# Set federation_domain_whitelist to trusted domains only

🧯 If You Can't Patch

  • Implement strict federation policies to only communicate with trusted servers
  • Monitor server logs for unusual signing requests or interactions with unknown servers

🔍 How to Verify

Check if Vulnerable:

Check your server version against the vulnerable versions listed. If running Continuwuity <0.5.1, Conduit <0.10.11, Grapevine before 0aae932b, or Tuwunel <1.4.9, you are vulnerable.

Check Version:

# For Continuwuity: continuwuity --version
# For Conduit: conduit --version
# Check your specific implementation's version command

Verify Fix Applied:

After updating, verify the version matches or exceeds the patched versions. Check that the server starts successfully and functions normally.

📡 Detection & Monitoring

Log Indicators:

  • Unusual signing events during room leave/join/knock operations
  • Interactions with unknown or suspicious remote servers
  • Unexpected event signing requests

Network Indicators:

  • Unusual federation traffic patterns
  • Requests to/from unknown Matrix servers

SIEM Query:

matrix_server_logs WHERE (operation IN ('leave', 'join', 'knock') AND signing_event = true) AND remote_server NOT IN trusted_servers

📊 Metadata

CVE ID: CVE-2026-24471
CVSS v3 Score: N/A (Unknown)
CWE: CWE-441
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This