Changelog

To update Conduit, simply stop it, install the new version and start it again.

v0.10.11 - 2025-12-30

Fixes another critical vulnerability, similar to the previous one, again allowing for remote servers to make Conduit sign arbitrary events, but unlike the last vulnerability, it requires user interaction. It is recommended you upgrade ASAP.

v0.10.10 - 2025-12-22

Fixes a critical security vulnerability, allowing for remote servers to make the Conduit instance to sign arbitrary events. It is recommended you upgrade ASAP.

v0.10.9 - 2025-09-12

A few updates around room version 12 support, specifically:

• Fix incoming invites over federation being ignored, by not attempting to lookup the room’s create event.
• Updated support for MSC4311.
• Fix users downgrading from v12 and above to v11 and below having the default power level in the new room.

v0.10.8 - 2025-08-11

This release adds support for room version 12, addressing CVE-2025-49090 and some other issues, and makes it the default for new rooms. In addition, this release contains a few other changes to do with room version 12, those being:

• Support for the format query parameter on GET /state on the client-server API, which is needed for some clients to be able to have a full picture of room version 12 power levels
• Support for MSC4311, which will be useful for moderation tooling around invites for room version 12.

It is recommended you upgrade your server as soon as possible, so you are able to access v12 rooms. For more information about room version 12, see the disclosure from matrix.org.

NOTE: You should not upgrade your admin room, as there is no need to do so, and it may cause issues.

v0.10.7 - 2025-08-04

Fixes all known causes of events failing to be authorized due to not having the required keys.

v0.10.6 - 2025-07-07

Fixes issue where remote media could be fetched via unauthenticated endpoints.

v0.10.5 - 2025-06-23

Minor patch release, fixing the following issues:

• Users could register user IDs with forbidden characters
• Sliding sync would cause a panic if the user was in zero rooms
• Sliding sync room heros weren’t being sent to clients anymore, since they stopped including the undefined include_heros parameter

v0.10.4 - 2025-05-30

Upgrades ruma (dependency), fixing issue with events in v11 rooms not having their signatures checked correctly, preventing remote events (as well as those from membership handshakes) from being appended to the timeline.

v0.10.3 - 2025-05-12

Conduit now will claim support for matrix versions up to v1.12, fixing Element’s clients not using the authenticated media endpoints.

v0.10.2 - 2025-05-11

Fixes issue where where a list of one-time keys are returned on /upload and /sync instead of algorithms

• This fixes Fluffychat failing to login to new sessions.

v0.10.1 - 2025-05-09

Fixes flat directory structure always being used for media if it was changed from the default.

v0.10.0 - 2025-05-09

The highlight of this release is the media refactor, which include many improvements to media handling, such as:

• De-duplicating identical files
• Retention policies, to configure how long media is stored for, as well as size limits for scopes of media
• Commands for blocking and purging media, making it easy to remove media and/or prevent it from being downloaded

And more! See !740 for an exhaustive list

The other new features added are:

• Support for simplified sliding sync !744
• Appservice pinging !738
• Knocking !728
• Refactoring space handling, allowing remote servers to get space information over federation !598
• Allowing remote servers to leave rooms over federation !728
• Allowing remote servers to join restricted rooms over federation !618

v0.9.0 - 2024-10-06

This release implements authenticated media and fixes issues with previous media, like failing to parse or not being able to reload federated media after deleting it locally.

• BREAKING: The config variables for well-known entries have changed from well_known.server to well_known_server !723
• Feature: Authenticated media !716
• Feature: Split on __, allowing for setting individual values in a table !706
• Fix: Don’t fail entire request if any PDU’s format is invalid !709
• Fix: Don’t cache server name lookups indefinitely !702

v0.8.0 - 2024-06-12

This release is focused on patching security vulnerabilities. Most notably, there is a CRITICAL vulnerability, which requires an attacker to have an account on your server. Administrators which have untrusted users on their server (e.g. public homeservers) are advised to update immediately or take their homeserver off the internet ASAP.

Please send @conduit:server.name: help into your admin room. If the Conduit bot does not respond to the command, even after a restart, you have likely been victim of this vulnerability, and should not connect your server to the internet for the time being, even after upgrading. Please contact us privately if you are affected. If the Conduit user does respond to any command, then you are safe to connect your homeserver to the internet after upgrading. We will release further instructions for victims at 2024-06-19, 18:00 UTC. The other vulnerabilities are relatively minor, but we still urge you upgrade as soon as possible.

Aside from that and some bug fixes, there have been a few notable changes, including:

• Feature: Support for integration managers, as well as anything else that depends on Open ID endpoints, thanks to avdb !681

• Feature: Support for hosting .well-known files from Conduit directly, thanks to M0dEx !332

• This should make sliding sync work out of the box, so long as you are not using delegation in your reverse proxy (which you can also configure inside of Conduit instead)

• Allowing for toggling of registration via admin command, without requiring a restart, thanks to rmsthebest in !477

If you have any questions, ideas, concerns, or anything else, feel free to stop by at #conduit:ahimsa.chat

v0.7.0 - 2024-04-25

This release includes security fixes, it’s advised that you upgrade as soon as possible.

• BREAKING: The docker container changed. You need to explicitly set CONDUIT_CONFIG="" now to reproduce the previous behavior. You might also have to add expose: - 6167 to your docker compose config.
• BREAKING: Require explicit database backend, you need to explicitly set it to sqlite or rocksdb now !636
• Feature: Add support for room v11 !562
• Feature: Bump default room version to v10 !628
• Feature: Use _matrix-fed._tcp SRV record, fallback to _matrix._tcp !616
• Feature: Add argument parser for the conduit executable !385
• Docs: Add registration_token in default cfg and DEPLOY !557
• Docs: Build docs using mdBook and copy all markdown files !604
• Docs: Document all configuration options !635
• Improvement: Sliding Sync Improvements !549
• Improvement: Improvements to /sync performance and db size !590
• Improvement: Declare matrix v1.5 support !568
• Improvement: Use upstream reqwest instead of vendored one !527
• Improvement: do not save typing edus in db !597
• Improvement: Remove log config modification !553
• Improvement: use simpler rocksdb config !602
• Fix: Unrejectable invites !623
• Fix: ACL error shouldn’t break the whole request !542
• Fix: Avoid panic when client is confused about rooms !588
• Fix: Send push notification on invite to invited user and etc !559
• Fix: Don’t give guests admin !591
• Fix: Do not allow administration of remote users !614
• Fix: Remove join_authorized_via_users_server field on state update !619 !385
• Fix: Do not expect that all http requests are valid reqwest requests !611

v0.6.0 - 2023-08-10

• Feature: Threads !483
• Feature: Spaces !495
• Feature: Registration tokens !533
• Feature: Edit history, /relation endpoints !487
• Feature: Automatic update checker !522
• Feature: Very basic Element X support !501 !511
• Feature: Handle backfill requests !459
• Feature: Allow end-to-bridge encryption !454
• Improvement: Improved memory usage !497
• Improvement: Matrix.org is default trusted server if unspecified !536
• Improvement: Better memory usage admin commands !497
• Improvement: Better sync performance !490
• Improvement: Randomize server order for alias room joins !491
• Improvement: Allow reactivating users using reset-password admin command !458
• Improvement: Don’t allow breaking admin room !382
• Improvement: Recognize admin commands without ‘:’ after mention !470
• Fix: Device verification / Cross signing !501 !504 !532
• Fix: Less soft failing messages !490
• Fix: Matrix hookshot authorization !486
• Fix: Load Message Context on Element Android !485
• Fix: Media loads much faster now !484
• Fix: Unable to join some rooms !453 !464
• Fix: Restricted room join error is now FORBIDDEN !478

v0.5.0 - 2022-12-21

• Feature: Restricted room joining !398
• Feature: Call sd-notify after init and before exit !426
• Improvement: V9 as default room version !400
• Improvement: More efficient E2EE key claiming !389
• Fix: All E2EE problems !393
• Fix: Infinite room loading !388
• Fix: Wrong notification rules !405
• Fix: Wrong notification counts !408
• Fix: Can’t rejoin rooms !399
• Fix: Fluffychat login works again !391
• Fix: Starting DMs with Synapse users !390
• Fix: is_guest for appservices !401
• Fix: Invites from Dendrite !416
• Fix: Send unrecognized error for unknown endpoints !397
• Refactor: Service layer !365

v0.4.0 - 2022-06-23

• Breaking: Docker user changed. If you use Docker, please chown your database directory to 1000:1000
• Feature: Conduit now supports room versions 3 to 9 !257
• Feature: Deactivate user command !337
• Feature: Admin command to create new user !354
• Feature: Admin command to show config !295
• Feature: Admin command to change password !354
• Feature: Config option for emergency password to rescue server !354
• Feature: Sync performance improved !297
• Feature: Lightning bolt optional !366
• Improvement: Jemalloc can now be disabled at compile time !285
• Improvement: Use native CA certificates !329
• Improvement: Case insensitive userid login !323
• Fix: Element Android notifications should work again
• Fix: Fluffychat compatibility !293
• Fix: Kick and ban events over federation !338
• Fix: Editing state works again !336
• Fix: Admin bot can no longer trigger itself !293
• Fix: Appservice compatibility !331
• Fix: Redacting unknown events will no longer cause problems !298
• Fix: Admin command parse-pdu no longer crashes for malformed jsons !304
• Fix: Hide users from user directory if they are only in private rooms and they don’t share a room !325
• Fix: Don’t panic when signing event fails !343
• Docs: TURN server guide !291
• Docs: Admin room welcome message mentions help command !299
• Docs: Change setup guides to use the same database paths !301
• Docs: Clarify that Conduit is in beta !310
• Docs: Fix proxy examples !321
• Refactor: Changed from rocket to axum !263

v0.3.0 - 2022-02-04

• Feature: Support server ACLs !248
• Feature: RocksDB Database Backend !217
• Feature: Database backend selection at runtime !217
• Feature: Report users to homeserver admin !218
• Feature: Creation of Spaces (exploring spaces is not supported yet) !220
• Feature: Enable voice calls (requires configuring a TURN server) !208
• Feature: Lazy loading for much faster initial syncs !240
• Improvement: Batch inserts for events !204
• Improvement: Significantly faster state resolution !217
• Improvement: Reuse reqwest client !265
• Docs: Better appservice instructions !196
• Fix: Very old events appear in the timeline !188
• Fix: Sync not waking up on new events in room !194
• Fix: Crash on empty search !286
• Fix: Better E2EE support
• Fix: Stack overflows

v0.2.0 - 2021-09-01

• Initial release
• Almost all client server and server server features of the Matrix Spec are implemented
• Notable exceptions: User verification over federation, room versions > 6

v0.0.0 - 2020-02-15

• Start of development