The Telegram messenger is vulnerable to a critical vulnerability that allows hackers to seize accounts without any action from the user. The vulnerability is registered in the Zero Day Initiative project database and received 9.8 points out of 10 on the overall CVSS danger scale. The discovery occurred on March 26, 2026, and the data has not yet been disclosed; it may be published after July 24. However, experts have already confirmed that exploiting the vulnerability does not require interaction with the victim, and the complexity of the attack is rated as low. Among the first to draw attention to the threat were specialists from the Russian companies Positive Technologies and Kaspersky.
Zero‑click and media files: how the attack works
Alexander Leonov, a leading vulnerability management expert at PT Expert Security Center in Positive Technologies, explained that an attacker can send the victim a specially prepared malicious media file. When viewing this file, even without clicking on it, malicious code can be executed on the device.
Based on the vulnerability vector, we assume that one of the possible exploitation options may be that the attacker sends the victim a specially prepared malicious media file. When the user views this file, even without clicking on it, malicious code can be executed on the device.
Theoretically, the expert added, hackers can gain full control over the messenger or full access to the user account, including correspondence. According to data from hackers, to attack Android and Linux, it is enough to send an animated sticker; this leads to remote code execution (zero‑click RCE). A working exploit and file generator already exist.
Vulnerability is already being sold, no patch yet
Publications about the sale of information about this vulnerability have appeared in Telegram itself. Vladimir Daschenko, an expert at Kaspersky ICS CERT, in his Telegram channel called the situation "short but bright fun" if the data does not turn out to be a scam.
If it's not a scam, then they will definitely close [the vulnerability] quickly. But if it's true, then there will be "fun". Short but bright
At the time of publication, there is no official patch from the Telegram developers. The vulnerability is listed in the Upcoming category with a note that details will be disclosed after July 24, 2026, to give the company time to fix it.
Vulnerability characteristics (ZDI‑CAN‑30207)
- CVSS 3.1 score: 9.8 (critical level)
- Attack vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Type: zero‑click, remote code execution (RCE)
- Affected platforms: Android, Linux
- Required attacker action: send an animated sticker
- Fix status: no patch, confirmed vulnerability
- Date of discovery: March 26, 2026
- Planned disclosure of details: after July 24, 2026
For comparison: previous critical vulnerabilities in Telegram required at least minimal user interaction (for example, clicking on a link). Zero‑click RCE is extremely rare and is considered one of the most dangerous classes of vulnerabilities in messengers. A score of 9.8 is close to the maximum (10) and indicates the possibility of complete compromise of the device without the owner's knowledge.
