CVE-2024-26132

Element Android can be asked to share internal files.

Description

Element Android is an Android Matrix Client. A third-party malicious application installed on the same phone can force Element Android, version 0.91.0 through 1.6.12, to share files stored under the `files` directory in the application's private data directory to an arbitrary room. The impact of the attack is reduced by the fact that the databases stored in this folder are encrypted. However, it contains some other potentially sensitive information, such as the FCM token. Forks of Element Android which have set `android:exported="false"` in the `AndroidManifest.xml` file for the `IncomingShareActivity` activity are not impacted. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.

Category

4.0
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.08%
Vendor Advisory github.com
Affected: element-hq element-android
Published at:
Updated at:

References

Link Tags
https://github.com/element-hq/element-android/security/advisories/GHSA-8wj9-cx7h-pvm4 patch vendor advisory
https://github.com/element-hq/element-android/commit/8f9695a9a8d944cb9b92568cbd76578c51d32e07 patch
https://element.io/blog/security-release-element-android-1-6-12 release notes patch

Frequently Asked Questions

What is the severity of CVE-2024-26132?
CVE-2024-26132 has been scored as a medium severity vulnerability.
How to fix CVE-2024-26132?
To fix CVE-2024-26132, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-26132 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-26132 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-26132?
CVE-2024-26132 affects element-hq element-android.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.