Impact
In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call.
We classify this vulnerability as a High severity one, despite the 5.3 CVSS score (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Workarounds
Deployments where infrastructure is entirely controlled by a single organisation are less affected.
References
element-hq/element-meta#2441
Impact
In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the
element.jsonwell-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call.We classify this vulnerability as a High severity one, despite the 5.3 CVSS score (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Workarounds
Deployments where infrastructure is entirely controlled by a single organisation are less affected.
References
element-hq/element-meta#2441