Skip to main content

Element Call CVE-2026-48007

HIGH
Information Exposure (CWE-200)
2026-06-11 https://github.com/element-hq/element-call GHSA-6vhh-4xw6-h2h2
Share

Severity by source

vuln.today AI
4.4 MEDIUM

Disclosure requires PostHog-tenant access (PR:H) plus separate captured media (AC:H); leak path is network-delivered telemetry (AV:N), no user action (UI:N), confidentiality-only impact on call content (C:H).

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 13:52 vuln.today
Analysis Generated
Jun 11, 2026 - 13:52 vuln.today

DescriptionCVE.org

Impact

Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data ($initial_person_info, $session_entry_url, and $current_url) were found to contain the full URL of the user's visited page, including the fragment.

Users of a standalone Element Call ‘SPA’ instance such as https://call.element.io may therefore have reported the full URLs of certain calls, including encryption passwords, to the configured PostHog server, potentially compromising the confidentiality of the calls to actors who could access both the PostHog analytics data and the encrypted media streams.

The same issue is present in Element Call's embedded package, but in practice it does not impact applications using this package (including Element Web, Element Desktop, Element X iOS, and Element X Android) because they distribute encryption keys over Matrix rather than encoding a password in the URL.

Patches

Patched in Element Call 0.19.4.

Workarounds

Users may opt out of analytics in the 'Feedback' tab of Element Call's settings and create new links for future calls.

Admins who host Element Call as a standalone application may disable PostHog analytics entirely by removing the posthog key from their deployment's config.json file.

For more information

If there are any questions or comments about this advisory, please send an email to [security at element.io](mailto:security@element.io).

AnalysisAI

Information disclosure in Element Call 0.5.17 through 0.19.3 causes the application to send full visited URLs (including URL fragments) to a configured PostHog analytics server via the $initial_person_info, $session_entry_url, and $current_url fields. On standalone SPA deployments such as call.element.io that encode call encryption passwords in the URL fragment, this can leak those passwords to anyone with access to the PostHog data, enabling decryption of the associated E2EE media streams. No public exploit identified at time of analysis; the issue was disclosed and patched by the vendor in 0.19.4.

Technical ContextAI

Element Call is the matrix.org WebRTC group-call application maintained by Element Hq and distributed both as a standalone single-page app and as an embeddable widget (npm package @element-hq/element-call-embedded). In standalone SPA mode, call links embed the shared encryption password directly in the URL fragment (the part after #). The PostHog JavaScript SDK is integrated for product analytics and, by default, captures full page URLs into several telemetry events; because URL fragments are not stripped before being assigned to the $session_entry_url, $current_url, and $initial_person_info payload fields, the secret material in the fragment is transmitted to the analytics backend. This is a textbook CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) caused by treating an attacker-relevant secret (the fragment) as ordinary telemetry context. The embedded package (used by Element Web, Element Desktop, and Element X mobile clients) ships the same code path but is not exploitable in practice because those clients distribute call encryption keys over Matrix rather than encoding them in the URL.

RemediationAI

Vendor-released patch: upgrade Element Call to 0.19.4 (released as a security hotfix; see https://github.com/element-hq/element-call/releases/tag/v0.19.4, npm @element-hq/element-call-embedded@0.19.4, or ghcr.io/element-hq/element-call:v0.19.4). For standalone hosts who cannot upgrade immediately, disable analytics entirely by removing the posthog key from the deployment's config.json - the trade-off is loss of product usage telemetry but no functional impact on calls. End users on an unpatched instance can opt out of analytics in the Element Call 'Feedback' settings tab and should generate new call links afterwards, because any previously shared link's password may already have been transmitted to PostHog. Because the secret travels in the URL fragment, rotating/replacing existing call links is necessary even after patching to invalidate any passwords already captured in historic analytics data.

Share

CVE-2026-48007 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy