CVE-2026-24471 (GCVE-0-2026-24471)

Vulnerability from cvelistv5 – Published: 2026-02-02 18:56 – Updated: 2026-02-03 14:53
VLAI
Title
Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary ('Confused Deputy')
Summary
continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9.
Severity
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
Assigner
References
Impacted products
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24471",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T14:52:55.688879Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T14:53:20.068Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "continuwuity",
          "vendor": "continuwuity",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T18:56:27.523Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v"
        },
        {
          "name": "https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900"
        }
      ],
      "source": {
        "advisory": "GHSA-m5p2-vccg-8c9v",
        "discovery": "UNKNOWN"
      },
      "title": "Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24471",
    "datePublished": "2026-02-02T18:56:27.523Z",
    "dateReserved": "2026-01-23T00:38:20.547Z",
    "dateUpdated": "2026-02-03T14:53:20.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-24471",
      "date": "2026-06-28",
      "epss": "0.00312",
      "percentile": "0.22882"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24471\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-02T23:16:08.270\",\"lastModified\":\"2026-06-17T10:23:07.140\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9.\"},{\"lang\":\"es\",\"value\":\"continuwuity es un homeserver de Matrix escrito en Rust. Esta vulnerabilidad permite a un atacante con un servidor remoto malicioso hacer que el servidor local firme un evento arbitrario tras la interacci\u00f3n del usuario. Cuando una cuenta de usuario abandona una sala (rechazando una invitaci\u00f3n), se une a una sala o llama a la puerta de una sala, el servidor v\u00edctima puede pedir asistencia a un servidor remoto. Si la v\u00edctima pide asistencia al servidor atacante, el atacante puede proporcionar un evento arbitrario, que la v\u00edctima firmar\u00e1 y devolver\u00e1 al atacante. Para el endpoint /leave, esto funciona para cualquier evento con una versi\u00f3n de sala compatible, donde el origen y origin_server_ts son establecidos por la v\u00edctima. Para el endpoint /join, se necesita un campo de contenido adicionalmente establecido por la v\u00edctima en el formato de una membres\u00eda de uni\u00f3n. Para el endpoint /knock, se necesita un campo de contenido adicional establecido por la v\u00edctima en el formato de una membres\u00eda de knock y una versi\u00f3n de sala que no est\u00e9 entre 1 y 6. Esto fue explotado como parte de una cadena m\u00e1s grande contra el homeserver continuwuity.org. Esta vulnerabilidad afecta a todos los servidores derivados de Conduit. Esta vulnerabilidad est\u00e1 corregida en Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b y Tuwunel 1.4.9.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"continuwuity\",\"product\":\"continuwuity\",\"versions\":[{\"version\":\"\u003c 0.5.1\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-03T14:52:55.688879Z\",\"id\":\"CVE-2026-24471\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-441\"}]}],\"references\":[{\"url\":\"https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)\", \"source\": {\"advisory\": \"GHSA-m5p2-vccg-8c9v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"continuwuity\", \"product\": \"continuwuity\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v\", \"name\": \"https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900\", \"name\": \"https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-441\", \"description\": \"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-02T18:56:27.523Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24471\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-03T14:52:55.688879Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-02-03T14:53:14.672Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24471\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-02T18:56:27.523Z\", \"dateReserved\": \"2026-01-23T00:38:20.547Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-02T18:56:27.523Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.