Unknown · Continuwuity · CVE-2026-24471
**Name of the Vulnerable Software and Affected Versions**
Continuwuity versions prior to 0.5.1
Conduit versions prior to 0.10.11
Grapevine versions prior to 0aae932b
Tuwunel versions prior to 1.4.9
**Description**
A flaw exists that allows a malicious remote server to cause a local server to sign an arbitrary event upon user interaction. This occurs when a user account leaves a room, joins a room, or knocks on a room, potentially prompting the victim server to request assistance from a remote server. If the victim requests assistance from an attacker-controlled server, the attacker can provide an arbitrary event, which the victim server will then sign and return. The `/leave` endpoint is vulnerable to any event with a supported room version, requiring the origin and origin server ts to be set by the victim. The `/join` endpoint requires an additional victim-set content field in the format of a join membership. The `/knock` endpoint requires an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6. This issue was exploited against the continuwuity.org homeserver.
**Recommendations**
Update Continuwuity to version 0.5.1 or later.
Update Conduit to version 0.10.11 or later.
Update Grapevine to version 0aae932b or later.
Update Tuwunel to version 1.4.9 or later.