Cyber Resilience

CVE-2026-24471

Critical

Published: 02 February 2026

Published
02 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24471 is a critical-severity Confused Deputy (CWE-441) vulnerability in Ellis (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an…

more

invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1558 Steal or Forge Kerberos Tickets Credential Access
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.
Why these techniques?

Vuln in public-facing homeserver enables remote forgery of signed authn events via confused deputy (CWE-441) during federation requests.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Ellis
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-441

Mitigates confused deputy risks by ensuring distinct privilege domains so one partition cannot unintentionally act on behalf of another.

References