Description
A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. There is ongoing doubt regarding the real existence of this vulnerability. Upgrading to version 6.7.6 is able to resolve this issue. Upgrading the affected component is recommended. The vendor provides this rationale for the dispute: "[T]he described scenario does not lead to any security issue or vulnerability, and only causes a one-time crash. In the outlined scenario, the targeted user must perform an active action, which doesn't produce any consequences after the app is relaunched."
Published: 2026-05-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference in Telegram Desktop’s Bot API’s RequestButton routine is triggered when an attacker supplies a malicious login_url. The flaw can be triggered remotely, causing a single crash of the application. The vendor disputes that this leads to any lasting security issue, stating that the crash is one-time and the app has no consequences after relaunch. Nonetheless, the crash still results in a denial of service for the user.

Affected Systems

Telegram Desktop versions up to and including 6.7.5 are affected; the vulnerable code resides in the Bot API component within url_auth_box.cpp and runs on all supported platforms.

Risk and Exploitability

With a CVSS score of 5.3 the severity is considered medium. The exploit is publicly disclosed and can be executed remotely by sending a crafted login_url, but the EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog. The primary impact is a denial of service that may affect end‑user availability.

Generated by OpenCVE AI on May 19, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Telegram Desktop to a version newer than 6.7.5 that contains the patch for the RequestButton null pointer dereference.
  • If an update cannot be applied immediately, block or restrict access to the Bot API’s login_url feature using a firewall or application‑layer controls to prevent the vulnerable request from reaching the function.
  • Monitor Telegram Desktop logs for abnormal crashes or authentication failures that may indicate attempts to exploit the null pointer dereference, and notify the relevant security team.

Generated by OpenCVE AI on May 19, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. There is ongoing doubt regarding the real existence of this vulnerability. Upgrading to version 6.7.6 is able to resolve this issue. Upgrading the affected component is recommended. The vendor provides this rationale for the dispute: "[T]he described scenario does not lead to any security issue or vulnerability, and only causes a one-time crash. In the outlined scenario, the targeted user must perform an active action, which doesn't produce any consequences after the app is relaunched."
First Time appeared Telegram desktop
CPEs cpe:2.3:a:telegram:desktop:*:*:*:*:*:*:*:*
Vendors & Products Telegram desktop
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

 cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Telegram
Telegram telegram Desktop
Vendors & Products Telegram
Telegram telegram Desktop

Sun, 03 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer dereference
Weaknesses CWE-404
CWE-476
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Telegram Desktop Telegram Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-19T13:35:10.102Z

Reserved: 2026-05-02T20:30:23.558Z

Link: CVE-2026-7701

cve-icon Vulnrichment

Updated: 2026-05-05T19:53:09.221Z

cve-icon NVD

Status : Deferred

Published: 2026-05-03T16:15:57.757

Modified: 2026-06-17T11:02:49.570

Link: CVE-2026-7701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release

  • CWE-476

    NULL Pointer Dereference