CVE-2026-24471: Matrix Homeserver Auth Bypass Vulnerability

CVE-2026-24471 Overview

CVE-2026-24471 is a critical Unintended Proxy or Intermediary vulnerability (CWE-441) affecting continuwuity, a Matrix homeserver written in Rust. This flaw allows an attacker controlling a malicious remote server to force the victim server to sign arbitrary events during normal user interactions such as leaving a room, joining a room, or knocking on a room. The vulnerability was exploited as part of a larger attack chain against the continuwuity.org homeserver and affects all Conduit-derived servers.

Critical Impact
A malicious remote server can trick victim servers into signing arbitrary events, potentially enabling federation-level attacks, identity spoofing, and unauthorized actions within the Matrix federation protocol.

Affected Products

Continuwuity versions prior to 0.5.1
Conduit versions prior to 0.10.11
Grapevine versions prior to commit 0aae932b
Tuwunel versions prior to 1.4.9

Discovery Timeline

2026-02-02 - CVE CVE-2026-24471 published to NVD
2026-02-03 - Last updated in NVD database

Technical Details for CVE-2026-24471

Vulnerability Analysis

This vulnerability exploits the federation assistance mechanism in Matrix homeservers. When a user performs certain room actions (leaving, joining, or knocking), the victim server may request assistance from a remote server to complete the operation. If the remote server is controlled by an attacker, they can provide an arbitrary event that the victim server will cryptographically sign and return.

The vulnerability manifests differently across three federation endpoints:

For the /leave endpoint, the attack works with any event using a supported room version. The victim server automatically sets the origin and origin_server_ts fields, but the attacker controls the rest of the event content.

For the /join endpoint, the attacker must craft an event with a content field formatted as a join membership event. The victim server still sets certain fields, but the core malicious payload can be injected.

For the /knock endpoint, the attack requires a content field formatted as a knock membership and specifically requires a room version not between 1 and 6 to succeed.

Root Cause

The root cause is an Unintended Proxy vulnerability (CWE-441) where the server acts as an intermediary that signs events without properly validating their content and origin. The federation protocol implementation trusts the remote server's assistance response without adequate verification, allowing arbitrary event content to be signed with the victim server's cryptographic credentials.

Attack Vector

The attack is network-based and requires user interaction to trigger. The attack flow proceeds as follows:

Attacker sets up a malicious Matrix homeserver under their control
Attacker invites a user from the victim server to a room or creates conditions requiring federation assistance
When the victim user performs a room action (leave/join/knock), the victim server requests assistance from the attacker's server
The attacker's server responds with a crafted arbitrary event instead of a legitimate one
The victim server signs the malicious event and returns it to the attacker
The attacker now possesses a victim-signed event that can be used for further attacks within the federation

This signed event can potentially be used to impersonate the victim server, inject malicious content into the federation, or as part of a larger attack chain as demonstrated against continuwuity.org.

Detection Methods for CVE-2026-24471

Indicators of Compromise

Unexpected or anomalous signed events originating from your homeserver that don't correspond to legitimate user actions
Federation requests to or from unknown or suspicious remote servers during room join/leave/knock operations
Events in federation logs with unusual content that doesn't match expected membership event formats
Signs of room state manipulation or unexpected room joins attributed to your server

Detection Strategies

Review federation logs for assistance requests to external servers and correlate with actual user actions
Implement monitoring for unusual patterns in signed events, particularly those with unexpected content fields
Audit room state events for any that appear malformed or contain unexpected data
Monitor for federation requests during room operations that involve untrusted or newly-contacted servers

Monitoring Recommendations

Enable detailed federation logging to capture all assistance requests and responses
Set up alerting for room operations involving servers not on your trusted federation list
Implement rate limiting and anomaly detection for federation endpoints (/leave, /join, /knock)
Consider federation allowlists for critical deployments to limit exposure to untrusted servers

How to Mitigate CVE-2026-24471

Immediate Actions Required

Upgrade Continuwuity to version 0.5.1 or later immediately
Upgrade Conduit to version 0.10.11 or later
Upgrade Grapevine to commit 0aae932b or later
Upgrade Tuwunel to version 1.4.9 or later
Review federation logs for signs of exploitation before patching

Patch Information

Security patches are available for all affected Conduit-derived servers. The fix addresses the event validation logic to ensure servers properly verify the content and legitimacy of events before signing them.

For Continuwuity, the patch is available in the Forgejo commit 12aecf80917220543. Additional details are available in the GitHub Security Advisory GHSA-m5p2-vccg-8c9v.

Workarounds

Temporarily restrict federation to trusted servers only using an allowlist until patching is possible
Disable or restrict user access to room join/leave/knock operations if federation cannot be limited
Monitor federation traffic closely for any suspicious assistance requests
Consider taking the homeserver offline if immediate patching is not possible and the deployment is critical

bash

# Example: Restrict federation in Matrix homeserver configuration
# Consult your specific server documentation for exact syntax

# For servers supporting federation allowlists:
# federation_domain_whitelist:
#   - trusted-server-1.example.com
#   - trusted-server-2.example.org

# After patching, verify the installed version
# For Continuwuity:
continuwuity --version
# Expected: 0.5.1 or higher

CVE-2026-24471 Overview

Critical Impact
A malicious remote server can trick victim servers into signing arbitrary events, potentially enabling federation-level attacks, identity spoofing, and unauthorized actions within the Matrix federation protocol.

Affected Products

Continuwuity versions prior to 0.5.1
Conduit versions prior to 0.10.11
Grapevine versions prior to commit 0aae932b
Tuwunel versions prior to 1.4.9

Discovery Timeline

2026-02-02 - CVE CVE-2026-24471 published to NVD
2026-02-03 - Last updated in NVD database

Technical Details for CVE-2026-24471

Vulnerability Analysis

The vulnerability manifests differently across three federation endpoints:

For the /knock endpoint, the attack requires a content field formatted as a knock membership and specifically requires a room version not between 1 and 6 to succeed.

Root Cause

Attack Vector

The attack is network-based and requires user interaction to trigger. The attack flow proceeds as follows:

Attacker sets up a malicious Matrix homeserver under their control
Attacker invites a user from the victim server to a room or creates conditions requiring federation assistance
When the victim user performs a room action (leave/join/knock), the victim server requests assistance from the attacker's server
The attacker's server responds with a crafted arbitrary event instead of a legitimate one
The victim server signs the malicious event and returns it to the attacker
The attacker now possesses a victim-signed event that can be used for further attacks within the federation

This signed event can potentially be used to impersonate the victim server, inject malicious content into the federation, or as part of a larger attack chain as demonstrated against continuwuity.org.

Detection Methods for CVE-2026-24471

Indicators of Compromise

Unexpected or anomalous signed events originating from your homeserver that don't correspond to legitimate user actions
Federation requests to or from unknown or suspicious remote servers during room join/leave/knock operations
Events in federation logs with unusual content that doesn't match expected membership event formats
Signs of room state manipulation or unexpected room joins attributed to your server

Detection Strategies

Review federation logs for assistance requests to external servers and correlate with actual user actions
Implement monitoring for unusual patterns in signed events, particularly those with unexpected content fields
Audit room state events for any that appear malformed or contain unexpected data
Monitor for federation requests during room operations that involve untrusted or newly-contacted servers

Monitoring Recommendations

Enable detailed federation logging to capture all assistance requests and responses
Set up alerting for room operations involving servers not on your trusted federation list
Implement rate limiting and anomaly detection for federation endpoints (/leave, /join, /knock)
Consider federation allowlists for critical deployments to limit exposure to untrusted servers

How to Mitigate CVE-2026-24471

Immediate Actions Required

Upgrade Continuwuity to version 0.5.1 or later immediately
Upgrade Conduit to version 0.10.11 or later
Upgrade Grapevine to commit 0aae932b or later
Upgrade Tuwunel to version 1.4.9 or later
Review federation logs for signs of exploitation before patching

Patch Information

For Continuwuity, the patch is available in the Forgejo commit 12aecf80917220543. Additional details are available in the GitHub Security Advisory GHSA-m5p2-vccg-8c9v.

Workarounds

Temporarily restrict federation to trusted servers only using an allowlist until patching is possible
Disable or restrict user access to room join/leave/knock operations if federation cannot be limited
Monitor federation traffic closely for any suspicious assistance requests
Consider taking the homeserver offline if immediate patching is not possible and the deployment is critical

bash

# Example: Restrict federation in Matrix homeserver configuration
# Consult your specific server documentation for exact syntax

# For servers supporting federation allowlists:
# federation_domain_whitelist:
#   - trusted-server-1.example.com
#   - trusted-server-2.example.org

# After patching, verify the installed version
# For Continuwuity:
continuwuity --version
# Expected: 0.5.1 or higher

CVE-2026-24471: Matrix Homeserver Auth Bypass Vulnerability

CVE-2026-24471 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-24471

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-24471

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-24471

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-24471: Matrix Homeserver Auth Bypass Vulnerability

CVE-2026-24471 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-24471

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-24471

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-24471

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform