Incomplete Validation Vulnerability in WhatsApp for iOS and Android
CVE-2026-23866

4.3MEDIUM

Key Information:

Vendor: Facebook
Status: WhatSAPp For Android; WhatSAPp For iOS
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-23866?

A vulnerability exists in WhatsApp for iOS and Android due to incomplete validation of AI rich response messages related to Instagram Reels. This flaw could allow a user to trigger the processing of media content from arbitrary URLs on another user’s device, including the activation of OS-controlled custom URL scheme handlers. Despite the potential for exploitation, no evidence has been found indicating that this vulnerability has been actively exploited in the wild.

Affected Version(s)

WhatsApp for Android 2.25.8.0 < 2.26.7.10

WhatsApp for iOS 2.25.8.0 < 2.26.15.72

References

https://www.facebook.com/security/advisories/cve-2026-23866

x_refsource_CONFIRM

https://www.whatsapp.com/security/advisories/2026

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Jan 16, 2026

CVE-2026-23866 Data

JSON

Facebook

What is CVE-2026-23866?

Affected Version(s)

References

CVSS V3.1

Timeline