PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7701 Telegram CVE debrief

A disputed null pointer dereference vulnerability in Telegram Desktop up to version 6.7.5, affecting the RequestButton function in url_auth_box.cpp. The issue involves manipulation of the login_url argument in the Bot API component. The vendor disputes this constitutes a security vulnerability, characterizing it as a one-time crash requiring user interaction with no persistent effects. The CVE was published on 2026-05-03 and last modified on 2026-05-19. CVSS 4.0 score of 2.1 (LOW severity). Not listed in CISA KEV.

Vendor
Telegram
Product
Desktop
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-03
Original CVE updated
2026-05-19
Advisory published
2026-05-03
Advisory updated
2026-05-19

Who should care

Organizations using Telegram Desktop with Bot API integrations; security teams evaluating disputed CVEs for prioritization; incident responders tracking publicly disclosed crashes in messaging applications

Technical summary

The vulnerability exists in the RequestButton function within Telegram/SourceFiles/boxes/url_auth_box.cpp. A manipulated login_url argument triggers a null pointer dereference. Attack requires remote network access but depends on user interaction. The vendor contests security relevance, stating the crash is one-time, requires active user action, and produces no consequences after app relaunch. Fixed in version 6.7.6.

Defensive priority

low

Recommended defensive actions

  • Upgrade Telegram Desktop to version 6.7.6 or later if running affected versions up to 6.7.5
  • Monitor vendor security advisories for official position updates
  • Assess organizational use of Telegram Desktop Bot API features as part of risk evaluation
  • Consider the vendor's dispute rationale in vulnerability prioritization decisions

Evidence notes

Vendor dispute explicitly documented in CVE description. Vuldb references include submission and vulnerability pages plus a YouTube demonstration. NVD status is 'Deferred'. CVSS 4.0 vector indicates network attack vector with user interaction required, low availability impact, and proof-of-concept exploit availability.

Official resources

public