Null Pointer Dereference in Telegram Desktop Bot API Affects Multiple Versions
CVE-2026-7701
5.3MEDIUM
What is CVE-2026-7701?
A severe vulnerability has been identified in Telegram Desktop versions prior to 6.7.5, specifically within the Bot API component. This security weakness arises from the RequestButton function in the file Telegram/SourceFiles/boxes/url_auth_box.cpp, where improper handling of the login_url parameter can result in a null pointer dereference. An attacker can exploit this vulnerability remotely, potentially allowing for unauthorized actions. The issue has been publicly disclosed, and despite early notifications to the vendor, there has been no response regarding remediation.
Affected Version(s)
Desktop 6.7.0
Desktop 6.7.1
Desktop 6.7.2
References
CVSS V4
Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
oblivionsage (VulDB User)
VulDB CNA Team