Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-7701

CVE-2026-7701: Telegram Desktop RCE Vulnerability

CVE-2026-7701 is a remote code execution flaw in Telegram Desktop up to version 6.7.5 that exploits a null pointer dereference in the Bot API. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-7701 Overview

CVE-2026-7701 is a null pointer dereference vulnerability in Telegram Desktop versions up to 6.7.5. The flaw resides in the RequestButton function within Telegram/SourceFiles/boxes/url_auth_box.cpp, part of the Bot API component. Attackers can manipulate the login_url argument to trigger the dereference remotely. The exploit details have been disclosed publicly. The vendor was contacted prior to disclosure but did not respond. The issue is tracked under [CWE-404] (Improper Resource Shutdown or Release) and carries a low CVSS 4.0 score of 2.1.

Critical Impact

Remote attackers can crash Telegram Desktop client sessions by supplying crafted login_url values through the Bot API, causing a denial of service through null pointer dereference.

Affected Products

  • Telegram Desktop versions up to and including 6.7.5
  • Bot API component (url_auth_box.cpp)
  • RequestButton function handling login URL authentication

Discovery Timeline

  • 2026-05-03 - CVE-2026-7701 published to NVD
  • 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-7701

Vulnerability Analysis

The vulnerability resides in the RequestButton function defined in Telegram/SourceFiles/boxes/url_auth_box.cpp. This code path handles login URL authorization requests originating from Telegram bots through the Bot API. When the login_url argument is manipulated with unexpected or missing values, the function dereferences a pointer that was never properly initialized or validated. The result is a process crash on the client side.

The weakness is classified under [CWE-404] (Improper Resource Shutdown or Release). User interaction is required because the victim must interact with a bot-supplied login URL element before the vulnerable code executes. The disclosed exploit makes the issue accessible to non-sophisticated attackers operating Telegram bots.

Root Cause

The root cause is missing validation of pointer state inside RequestButton before the login_url parameter is consumed. The function does not verify that the underlying object referenced by the parameter is non-null prior to dereferencing it. Telegram Desktop's Bot API integration trusts the structure of inbound bot messages, leaving the client-side code without defensive null checks.

Attack Vector

An attacker controls a Telegram bot and crafts a message containing a malformed login_url button. When a target user interacts with the button, Telegram Desktop calls RequestButton, which dereferences a null pointer and terminates the process. The attack requires no authentication on the attacker side because anyone can register a Telegram bot. Exploitation is limited to denial of service against the desktop client. There is no indication of memory corruption beyond the crash, no privilege escalation path, and no confidentiality or integrity impact reported in the CVSS vector.

Detection Methods for CVE-2026-7701

Indicators of Compromise

  • Unexpected Telegram Desktop process crashes correlated with bot interactions in chat history
  • Crash dumps or Watson reports referencing url_auth_box.cpp or the RequestButton symbol
  • Repeated Telegram.exe process exits shortly after a user clicks an inline login button
  • Inbound messages from unknown bots containing login URL buttons targeting multiple users

Detection Strategies

  • Monitor endpoint telemetry for abnormal termination of Telegram.exe or its Linux and macOS equivalents
  • Correlate application crash events with Telegram Desktop versions at or below 6.7.5
  • Inspect Telegram log files for errors emitted by the URL auth box component prior to crash

Monitoring Recommendations

  • Track installed Telegram Desktop versions across managed endpoints and flag versions up to 6.7.5
  • Alert on repeated client crashes for the same user within short time windows
  • Review user reports of Telegram Desktop instability after bot interactions

How to Mitigate CVE-2026-7701

Immediate Actions Required

  • Upgrade Telegram Desktop to a version newer than 6.7.5 once a fixed release is published by the vendor
  • Inventory all endpoints running Telegram Desktop and prioritize versions at or below 6.7.5 for update
  • Advise users to avoid interacting with login URL buttons from unknown or untrusted bots

Patch Information

No vendor advisory or patch reference has been published in the NVD entry at the time of disclosure. The reporter notes that the vendor did not respond to outreach prior to public disclosure. Refer to the VulDB Vulnerability #360870 entry and the VulDB Submission #804341 record for tracking updates. Additional context is available in the VulDB CTI for #360870 feed.

Workarounds

  • Restrict or block interactions with unverified Telegram bots in organizational acceptable use policies
  • Configure host-based controls to automatically restart Telegram Desktop on crash to limit user disruption
  • Educate users that clicking login URL buttons from unfamiliar bots can crash the client
bash
# Identify Telegram Desktop versions across Windows endpoints
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "Telegram Desktop*" } |
  Select-Object DisplayName, DisplayVersion, InstallLocation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne