Skip to main content

Telegram Desktop CVE-2026-7701

| EUVDEUVD-2026-26839 LOW
NULL Pointer Dereference (CWE-476)
2026-05-03 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
May 03, 2026 - 16:22 NVD
MEDIUM LOW
CVSS changed
May 03, 2026 - 16:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 03, 2026 - 16:15 vuln.today
EUVD ID Assigned
May 03, 2026 - 16:00 euvd
EUVD-2026-26839
Analysis Generated
May 03, 2026 - 16:00 vuln.today
CVE Published
May 03, 2026 - 15:30 nvd
LOW 2.1

DescriptionCVE.org

A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Null pointer dereference in Telegram Desktop up to version 6.7.5 allows remote attackers without authentication to cause denial of service by crafting a malicious login_url argument in the Bot API RequestButton function. The vulnerability requires user interaction to click a malicious link and has a public exploit disclosure, though vendor response to early disclosure notification was not forthcoming.

Technical ContextAI

The vulnerability exists in the RequestButton function within Telegram/SourceFiles/boxes/url_auth_box.cpp of the Telegram Desktop Bot API component. The flaw is a null pointer dereference (CWE-476) triggered when the login_url parameter is manipulated. When a null pointer is dereferenced during request processing, the application crashes rather than gracefully handling the malformed input. This is a memory safety issue where input validation or null-check assertions on the login_url argument are insufficient before dereferencing the pointer in downstream code.

RemediationAI

Users should upgrade Telegram Desktop to a version newer than 6.7.5 as soon as a patched release becomes available; however, no specific fixed version number has been independently confirmed from vendor sources at the time of this analysis. Users should avoid clicking suspicious links, especially those requesting Bot API authorization or login confirmation, as these are the primary attack vector. Until a patch is released, consider disabling automatic link opening in Telegram Desktop settings and enabling manual confirmation for any Bot API authorization requests. Administrators managing Telegram Desktop deployments should monitor vendor announcements for patch releases and enforce upgrades through managed software deployment once patches are confirmed available. The vendor's documented non-responsiveness to early disclosure suggests monitoring community forums and security databases (VulDB, NVD) for patch availability rather than relying on official vendor bulletins.

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

CVE-2023-1802 HIGH POC
7.5 Apr 06

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the H

CVE-2020-8227 MEDIUM POC
6.8 Aug 21

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Serv

CVE-2020-8140 MEDIUM POC
6.7 Mar 20

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client wit

CVE-2020-10665 MEDIUM POC
6.7 Mar 18

Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnost

CVE-2023-28997 MEDIUM POC
6.5 Apr 04

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.5), thi

CVE-2021-32728 MEDIUM POC
6.5 Aug 18

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Rated medium severity

CVE-2023-28999 MEDIUM POC
6.4 Apr 04

Nextcloud is an open-source productivity platform. Rated medium severity (CVSS 6.4), this vulnerability is remotely expl

CVE-2023-28998 MEDIUM POC
6.1 Apr 04

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.1), thi

CVE-2022-39333 MEDIUM POC
6.1 Nov 25

Nexcloud desktop is the Desktop sync client for Nextcloud. Rated medium severity (CVSS 6.1), this vulnerability is remot

CVE-2021-22895 MEDIUM POC
5.9 Jun 11

Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate ve

Share

CVE-2026-7701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy