CVE Tools
Sign in

CVE-2024-26132

Element Android can be asked to share internal files.

Published: Feb 20, 2024Updated: Feb 14, 2025 Sources: CVE List NVDCWE-200
NVD MITRE
4.0CVSSMEDIUM
EPSS Score
0.4%
Top 69.7%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Element Android is an Android Matrix Client. A third-party malicious application installed on the same phone can force Element Android, version 0.91.0 through 1.6.12, to share files stored under the `files` directory in the application's private data directory to an arbitrary room. The impact of the attack is reduced by the fact that the databases stored in this folder are encrypted. However, it contains some other potentially sensitive information, such as the FCM token. Forks of Element Android which have set `android:exported="false"` in the `AndroidManifest.xml` file for the `IncomingShareActivity` activity are not impacted. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.

CVSS Vector Breakdown

AV:LAC:LPR:NUI:NS:UC:LI:NA:N
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-200NVD-CWE-noinfo

Affected Products

element-androidelement-hq
Mixed
Communications / messaging-chat
elementelement
On-prem
Communications / messaging-chat
element-hqoss-projectCommunications
elementcommercialCommunicationsaka element, synapse, desktop

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Collection
View detailed technique mapping

References

https://github.com/element-hq/element-android/security/advisories/GHSA-8wj9-cx7h-pvm4
github.com
https://github.com/element-hq/element-android/commit/8f9695a9a8d944cb9b92568cbd76578c51d32e07
github.com
https://element.io/blog/security-release-element-android-1-6-12
element.io

Timeline

Published
Feb 20, 2024
Last Updated
Feb 14, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-26132 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows