Description
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
Published: 2026-05-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incomplete validation of AI rich response messages that contain Instagram Reels references within WhatsApp. This oversight, identified as CWE-940, allows a malicious user to craft a message that triggers the victim’s device to fetch and process media content from an external URL. In some cases, the media content may invoke OS‑controlled custom URL scheme handlers, potentially executing arbitrary code or launching unintended applications. The CVSS score of 4.3 indicates moderate impact and a non‑zero but limited likelihood of exploitation.

Affected Systems

Affected deployments are WhatsApp for iOS versions from 2.25.8.0 through 2.26.15.72 and WhatsApp for Android versions from 2.25.8.0 through 2.26.7.10. Both products are distributed by Facebook.

Risk and Exploitability

The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. This suggests that, so far, no exploitation in the wild has been documented. Nonetheless, the vulnerability could be exploited by a social‑engineering attacker who is able to deliver a crafted AI rich response to a victim. The attack vector is inferred to involve sending a malicious media link from another user, so the risk is considered moderate.

Generated by OpenCVE AI on May 2, 2026 at 11:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available updates from WhatsApp or Facebook.
  • Avoid interacting with unfamiliar or suspicious media links or AI rich responses from unknown senders.
  • Restrict or disable custom URL scheme handlers on the device to limit execution of arbitrary URLs.

Generated by OpenCVE AI on May 2, 2026 at 11:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 12:00:00 +0000

Type Values Removed Values Added
Title Unvalidated Media URL Processing Via WhatsApp AI Rich Response Messages

Fri, 01 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-940
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C'}

Fri, 01 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Meta

Published:

Updated: 2026-05-01T17:42:09.286Z

Reserved: 2026-01-16T19:49:26.309Z

Link: CVE-2026-23866

cve-icon Vulnrichment

Updated: 2026-05-01T17:42:01.834Z

cve-icon NVD

Status : Received

Published: 2026-05-01T16:16:29.980

Modified: 2026-05-01T18:16:14.190

Link: CVE-2026-23866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:45:41Z

Weaknesses