Skip to main content

WhatsApp for iOS and Android CVE-2026-23866

| EUVDEUVD-2026-26666 MEDIUM
Improper Verification of Source of a Communication Channel (CWE-940)
2026-05-01 cve-assign@fb.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

7
Patch released
May 04, 2026 - 15:21 nvd
Patch available
Analysis Generated
May 01, 2026 - 19:00 vuln.today
CVSS changed
May 01, 2026 - 17:22 NVD
4.3 (MEDIUM)
Patch available
May 01, 2026 - 17:03 EUVD
EUVD ID Assigned
May 01, 2026 - 16:22 euvd
EUVD-2026-26666
Analysis Generated
May 01, 2026 - 16:22 vuln.today
CVE Published
May 01, 2026 - 16:16 nvd
MEDIUM 4.3

DescriptionCVE.org

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.

AnalysisAI

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.

Technical ContextAI

The vulnerability stems from incomplete input validation (CWE-940: Improper Validation of Untrusted Input) in the AI rich response message processing pipeline specific to Instagram Reels integration. When WhatsApp's AI-powered rich message feature processes responses associated with Reels, it fails to adequately sanitize or validate URLs embedded in these messages before triggering media processing. This allows an attacker to inject arbitrary URLs that the victim's device will attempt to resolve, potentially through OS-level URL scheme handlers (such as custom protocols on iOS or Android intent schemes). The vulnerability requires prior authentication and user interaction context (receiving a message), limiting but not eliminating exploitability. The affected versions represent a specific feature implementation window where this validation gap existed.

RemediationAI

Users should immediately update to WhatsApp for iOS version 2.26.15.73 or later and WhatsApp for Android version 2.26.7.11 or later, which contain the vendor-released patch addressing incomplete message validation. Updates are available through the Apple App Store and Google Play Store respectively. During the patching process, users can reduce exposure by avoiding clicking on suspicious media content in Reels-related messages from untrusted senders and disabling rich message previews if such an option is available in their WhatsApp settings. Organizations managing WhatsApp for Business should prioritize updates to the same patched versions. No compensating controls can fully mitigate this vulnerability short of disabling AI rich response features; the patch is the recommended remediation path.

Share

CVE-2026-23866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy