VYPR

Conduit

by The Conduit Contributors

CVEs (7)

  • CVE-2025-68667CriDec 23, 2025
    risk 0.64cvss epss 0.01

    Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to…

  • CVE-2024-6303CriJun 25, 2024
    risk 0.64cvss 9.9epss 0.00

    Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords,…

  • CVE-2026-24471CriFeb 2, 2026
    risk 0.60cvss epss 0.00

    continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or…

  • CVE-2024-6302HigJun 25, 2024
    risk 0.53cvss 8.1epss 0.00

    Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to redact any message from users on the same server, given that they are able to send redaction events.

  • CVE-2024-6301MedJun 25, 2024
    risk 0.34cvss 5.3epss 0.00

    Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs

  • CVE-2024-6299MedJun 25, 2024
    risk 0.31cvss 4.8epss 0.00

    Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date

  • CVE-2024-6300LowJun 25, 2024
    risk 0.24cvss 3.7epss 0.00

    Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain strings were present in the PDU before redaction

VYPR — Vulnerability Intelligence