Overview

Element Call, a part of the Element suite of communication tools, has been found to have a critical vulnerability. This vulnerability, tracked under CVE-2026-48007, involves the reporting of full URLs of visited pages to a PostHog analytics server. The issue impacts Element Call versions 0.5.17 through 0.19.3 and has a severity score of 8.6, indicating a high level of severity.

Technical Details

The vulnerability arises from how Element Call reports analytics data to a PostHog server. When configured via a `posthog` key in `config.json` or through `posthogApiHost` and `posthogApiKey` URL parameters, several fields of this data, including `$initial_person_info`, `$session_entry_url`, and `$current_url`, contain the full URL of the user's visited page. This includes the URL fragment, which can potentially contain sensitive information such as encryption passwords.

The issue particularly affects users of a standalone Element Call Single Page Application (SPA) instance, such as https://call.element.io. These users may have inadvertently reported the full URLs of certain calls, including encryption passwords, to the PostHog server. This could compromise the confidentiality of the calls, especially for actors with access to both the PostHog analytics data and the encrypted media streams.

It's worth noting that while the same issue exists in Element Call's embedded package used by applications like Element Web, Element Desktop, Element X iOS, and Element X Android, it does not practically impact these applications. This is because they distribute encryption keys over Matrix, avoiding the encoding of passwords in URLs.

Impact Analysis

The impact of this vulnerability is significant, primarily due to its potential to compromise the confidentiality of calls made through Element Call. If an unauthorized party gains access to both the analytics data and the encrypted media streams, they could potentially exploit the sensitive information (like encryption passwords) contained within the URLs. This could lead to eavesdropping or other malicious activities, undermining the security and trustworthiness of the communication platform.

Mitigation

Several mitigation strategies can be employed:

  • Patching: Upgrading to Element Call version 0.19.4 or later is the most straightforward and effective mitigation. This version patches the vulnerability, ensuring that sensitive information is no longer inadvertently reported to the analytics server.
  • Workarounds: For users who cannot immediately patch, opting out of analytics in the 'Feedback' tab of Element Call's settings can prevent further exposure. Additionally, creating new links for future calls can help minimize the impact.
  • Disabling PostHog Analytics: Administrators hosting Element Call as a standalone application can disable PostHog analytics entirely by removing the `posthog` key from their deployment's `config.json` file. This prevents the reporting of any analytics data to PostHog servers.

Conclusion

CVE-2026-48007 highlights the importance of carefully managing and securing analytics data in communication platforms. By understanding the technical details of this vulnerability and implementing the recommended mitigations, users and administrators can protect their communications from potential exploitation.