Telegram Denies “Zero-Click” Sticker Exploit as 9.8 CVSS Security Alert Ignites a Global Standoff

A critical security flaw has been unearthed in Telegram, the world’s leading encrypted messaging platform, drawing significant attention within the cybersecurity community.. Discovered by Michael DePlante (@izobashi) of the Trend Micro Zero Day Initiative (ZDI), the vulnerability—tracked as ZDI-CAN-30207—has been assigned a severity score of 9.8 on the CVSS scale.

Reported to Telegram on March 26, 2026, the flaw represents a “worst-case scenario” for digital privacy, as it allows for remote, unauthenticated exploitation without any user interaction.

The vulnerability’s technical vector—AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H—puts more than one billion active users of the platform at risk:

• Network (AV:N): The attack can be launched remotely over the internet.
• Low Complexity (AC:L): No specialized conditions or complex bypasses are required to trigger the flaw.
• No Privileges (PR:N): The attacker does not need an account or special permissions on the target system.
• No User Interaction (UI:N): This is a zero-click vulnerability. A victim does not need to click a link, open a file, or even be active on the app for their system to be compromised.
• High Impact (C:H/I:H/A:H): A successful exploit grants total control, allowing attackers to steal data (Confidentiality), modify system files (Integrity), and crash services (Availability).

The exact technical details remain under wraps to prevent immediate exploitation. According to the ZDI’s upcoming advisory portal, the public disclosure date is set for July 24, 2026. This gives the vendor a four-month window to develop and deploy a patch before the full mechanics of the bug are revealed to the public.

👀👀👀 https://t.co/yAYyfyBsC3 pic.twitter.com/flxPC8ZUSX

— TrendAI Zero Day Initiative (@thezdi) March 26, 2026

Historically, vulnerabilities in messaging apps have been highly sought after by state-sponsored actors and mercenary “spyware” groups for high-value targeting. Given the 9.8 severity rating, ZDI-CAN-30207 likely involves a fundamental flaw in how the application handles incoming data, such as media files or automated bot requests.

Until a formal patch is released, security experts recommend the following:

• Enable Automatic Updates: Ensure your Telegram client (Desktop, iOS, and Android) is set to update automatically.
• Limit Contact: Restrict who can send you messages and files in the Privacy and Security settings.
• Monitor Official Channels: Watch for an “Emergency Security Update” notification from Telegram.

Update:

A Telegram spokesperson told us: “This flaw does not exist. This researcher falsely claims that a corrupted Telegram sticker could be used as an attack vector — which completely disregards that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps.”

*** Title updated following Telegram’s official response.

*** The CVSS score was adjusted to 7.0.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy