CVE-2025-32026: Element Web could load a malicious instance of Element Call leaking media encryption keys
First published: Tue Apr 08 2025(Updated: )
Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elementor | >=1.11.16<=1.11.96 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-32026?
The severity of CVE-2025-32026 is classified as high due to the potential exposure of sensitive media encryption keys.
How do I fix CVE-2025-32026?
To fix CVE-2025-32026, upgrade Element Web to a version later than 1.11.96.
What versions are affected by CVE-2025-32026?
CVE-2025-32026 affects Element Web versions from 1.11.16 to 1.11.96.
What is the risk associated with CVE-2025-32026?
The risk associated with CVE-2025-32026 includes unauthorized access to sensitive media data through a vulnerable external URL.
Can CVE-2025-32026 be exploited remotely?
Yes, CVE-2025-32026 can be exploited remotely if the Element Web client is configured to load an external URL.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/author
- agent/severity
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/element
- canonical/elementor