CRITICAL🇵🇱 Wersja polska

CVE-2025-68667

CVSS 9.9v4.0pub. 2025-12-23upd. 2026-04-15

Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10, continuwuity prior to version 0.5.0, Grapevine prior to commit `9a50c244`, and tuwunel prior to version 1.4.8. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. Attackers can forge "leave" events for any user on the target server. This forcibly removes users (including admins and bots) from rooms. This allows denial of service and/or the removal of technical protections for a room (including policy servers, if all users on the policy server are removed). Attackers can forge "invite" events from a victim user to themselves, provided they have an account on a server where there is an account that has the power level to send invites. This allows the attacker to join private or invite-only rooms accessible by the victim, exposing confidential conversation history and room state. Attackers can forge "ban" events from a victim user to any user below the victim user's power level, provided the victim has the power level to issue bans AND the target of the ban resides on the same server as the victim. This allows the attacker to ban anyone in a room who is on the same server as the vulnerable one, however cannot exploit this to ban users on other servers or the victim themself. Conduit fixes the issue in version 0.10.10. continuwuity fixes the issue in commits `7fa4fa98` and `b2bead67`, released in 0.5.0. tuwunel fixes the issue in commit `dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3`, released in 1.4.8. Grapevine fixes the issue in commit `9a50c2448abba6e2b7d79c64243bb438b351616c`. As a workaround, block access to the `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}` endpoint using your reverse proxy.

🤖 AI Analysis
How it works

The error results from lack of origin validation of the signing request - the server will sign an event if the state_key field contains a valid user identifier belonging to that server, regardless of who actually sends the request. An attacker can forge events of type 'leave' (forcing removal of any user from the room, including administrators and bots), 'invite' (inviting themselves to a private room on behalf of the victim), and 'ban' (banning users below the victim's permission level, if the victim and ban target are on the same server). The attack is possible remotely and without any authentication.

Impact

An attacker can cause denial of service (DoS) by mass removing users from rooms, remove technical room protections (e.g., policy servers), gain unauthorized access to private conversation history, and manipulate room membership through fake bans or invitations.

Mitigation & patch

Update software: Conduit to version 0.10.10, continuwuity to version 0.5.0, tuwunel to version 1.4.8, Grapevine to commit 9a50c2448abba6e2b7d79c64243bb438b351616c. As a workaround, block access to the endpoint PUT /_matrix/federation/v2/invite/{roomId}/{eventId} at the reverse proxy level.

Who is affected

Conduit in versions prior to 0.10.10; continuwuity in versions prior to 0.5.0; Grapevine in versions before commit 9a50c244; tuwunel in versions prior to 1.4.8.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassDoS
CWE
References