CVE-2025-32026

Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.

CVSS v3 3.8 LOW

3.8^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Element Web es un cliente web de Matrix desarrollado con el SDK de Matrix React. Element Web, desde la versión 1.11.16 hasta la 1.11.96, puede configurarse para cargar una llamada de Element desde una URL externa. En ciertas circunstancias, la página externa puede acceder a las claves de cifrado de medios utilizadas para una llamada de Element. La versión 1.11.97 soluciona este problema.

08 Apr 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-08 16:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-32026

Mitre link : CVE-2025-32026

CVE.ORG link : CVE-2025-32026

JSON object : View

Products Affected

No product.

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

3.8 /10