CVE-2024-26132

Name of the Vulnerable Software and Affected Versions Element Android versions 0.91.0 through 1.6.12

Description A third-party malicious application installed on the same phone can force Element Android to share files stored under the files directory in the application's private data directory to an arbitrary room. The impact of the attack is reduced by the fact that the databases stored in this folder are encrypted. However, it contains some other potentially sensitive information, such as the FCM token.

Recommendations For Element Android versions 0.91.0 through 1.6.11, update to version 1.6.12 to resolve the issue. For forks of Element Android which have set android:exported="false" in the AndroidManifest.xml file for the IncomingShareActivity activity, no action is required as they are not impacted.