CVE-2025-27606: Element Android PIN autologout bypass
First published: Fri Mar 14 2025(Updated: )
Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Element | <=1.6.32 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-27606?
CVE-2025-27606 is considered a moderate severity vulnerability due to the potential for unauthorized access if an attacker has physical access to the device.
How do I fix CVE-2025-27606?
To fix CVE-2025-27606, update Element Android to version 1.6.33 or later where the issue has been patched.
What causes CVE-2025-27606?
CVE-2025-27606 occurs when Element Android fails to properly logout a user after multiple incorrect PIN attempts.
Who is affected by CVE-2025-27606?
Users of Element Android versions 1.6.32 and earlier are affected by CVE-2025-27606.
What are the potential impacts of CVE-2025-27606?
The impact of CVE-2025-27606 includes the risk of unauthorized access to user accounts as a result of the logout failure.
- agent/weakness
- agent/title
- agent/references
- agent/first-publish-date
- agent/description
- agent/type
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/source
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/element
- canonical/element