Description
A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference exists in the RequestButton routine of Telegram Desktop’s Bot API and is triggered when an attacker supplies a malicious login_url. The flaw can be triggered remotely and causes the application to crash or terminate unexpectedly when processing the request.

Affected Systems

Telegram Desktop versions up to and including 6.7.5 are affected; the vulnerable code resides in the Bot API component within url_auth_box.cpp and runs on all supported platforms.

Risk and Exploitability

With a CVSS score of 5.3 the severity is considered medium. The exploit is publicly disclosed and can be executed remotely by sending a crafted login_url, but the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog. The primary impact is a denial of service that may affect end‑user availability.

Generated by OpenCVE AI on May 3, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Telegram Desktop to a version newer than 6.7.5 that contains the patch for the RequestButton null pointer dereference.
  • If an update cannot be applied immediately, block or restrict access to the Bot API’s login_url feature using a firewall or application‑layer controls to prevent the vulnerable request from reaching the function.
  • Monitor Telegram Desktop logs for abnormal crashes or authentication failures that may indicate attempts to exploit the null pointer dereference, and notify the relevant security team.

Generated by OpenCVE AI on May 3, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer dereference
Weaknesses CWE-404
CWE-476
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T15:30:12.491Z

Reserved: 2026-05-02T20:30:23.558Z

Link: CVE-2026-7701

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T16:15:57.757

Modified: 2026-05-03T16:15:57.757

Link: CVE-2026-7701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T17:00:12Z

Weaknesses