Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
7DescriptionCVE.org
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
AnalysisAI
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.
Technical ContextAI
The vulnerability stems from incomplete input validation (CWE-940: Improper Validation of Untrusted Input) in the AI rich response message processing pipeline specific to Instagram Reels integration. When WhatsApp's AI-powered rich message feature processes responses associated with Reels, it fails to adequately sanitize or validate URLs embedded in these messages before triggering media processing. This allows an attacker to inject arbitrary URLs that the victim's device will attempt to resolve, potentially through OS-level URL scheme handlers (such as custom protocols on iOS or Android intent schemes). The vulnerability requires prior authentication and user interaction context (receiving a message), limiting but not eliminating exploitability. The affected versions represent a specific feature implementation window where this validation gap existed.
RemediationAI
Users should immediately update to WhatsApp for iOS version 2.26.15.73 or later and WhatsApp for Android version 2.26.7.11 or later, which contain the vendor-released patch addressing incomplete message validation. Updates are available through the Apple App Store and Google Play Store respectively. During the patching process, users can reduce exposure by avoiding clicking on suspicious media content in Reels-related messages from untrusted senders and disabling rich message previews if such an option is available in their WhatsApp settings. Organizations managing WhatsApp for Business should prioritize updates to the same patched versions. No compensating controls can fully mitigate this vulnerability short of disabling AI rich response features; the patch is the recommended remediation path.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26666