EXECUTIVE SUMMARY:
CVE-2026-48007 with a CVSS score of 8.6 is a vulnerability in the element-call-embedded package, specifically affecting versions 0.5.17 through 0.19.3, where sensitive information is exposed to an unauthorized actor due to the reporting of full URLs of visited pages to an analytics server, including the fragment, which may contain encryption passwords or other sensitive data. An attacker can exploit this vulnerability by accessing the analytics data, which is reported to a PostHog server when configured to do so via a `posthog` key in config.json or by the `posthogApiHost` and `posthogApiKey` URL parameters, requiring access to the PostHog analytics data and potentially the encrypted media streams. If exploited, the attacker gains the capability to compromise the confidentiality of calls, potentially accessing encryption passwords or other sensitive information. The business impact of this vulnerability is high, as it could lead to the exposure of sensitive information, compromising the security and trust of users, and the consequences of exploitation could be severe, including the loss of confidential data. The exploitation of this vulnerability requires that the Element Call instance is configured to report analytics data to a PostHog server and that the attacker has access to this data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48007 with a CVSS score of 8.6 is a vulnerability in the element-call-embedded package, specifically affecting versions 0.5.17 through 0.19.3, where sensitive information is exposed to an unauthorized actor due to the reporting of full URLs of visited pages to an analytics server, including the fragment, which may contain encryption passwords or other sensitive data. An attacker can exploit this vulnerability by accessing the analytics data, which is reported to a PostHog server when configured to do so via a `posthog` key in config.json or by the `posthogApiHost` and `posthogApiKey` URL parameters, requiring access to the PostHog analytics data and potentially the encrypted media streams. If exploited, the attacker gains the capability to compromise the confidentiality of calls, potentially accessing encryption passwords or other sensitive information. The business impact of this vulnerability is high, as it could lead to the exposure of sensitive information, compromising the security and trust of users, and the consequences of exploitation could be severe, including the loss of confidential data. The exploitation of this vulnerability requires that the Element Call instance is configured to report analytics data to a PostHog server and that the attacker has access to this data.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update element-call-embedded to version 0.19.4.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-6vhh-4xw6-h2h2