CVE-2026-24471

Name of the Vulnerable Software and Affected Versions Continuwuity versions prior to 0.5.1 Conduit versions prior to 0.10.11 Grapevine versions prior to 0aae932b Tuwunel versions prior to 1.4.9

Description A flaw exists that allows a malicious remote server to cause a local server to sign an arbitrary event upon user interaction. This occurs when a user account leaves a room, joins a room, or knocks on a room, potentially prompting the victim server to request assistance from a remote server. If the victim requests assistance from an attacker-controlled server, the attacker can provide an arbitrary event, which the victim server will then sign and return. The /leave endpoint is vulnerable to any event with a supported room version, requiring the origin and origin server ts to be set by the victim. The /join endpoint requires an additional victim-set content field in the format of a join membership. The /knock endpoint requires an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6. This issue was exploited against the continuwuity.org homeserver.

Recommendations Update Continuwuity to version 0.5.1 or later. Update Conduit to version 0.10.11 or later. Update Grapevine to version 0aae932b or later. Update Tuwunel to version 1.4.9 or later.