CVE-2026-7701

Name of the Vulnerable Software and Affected Versions Telegram Desktop versions prior to 6.7.6

Description A null pointer dereference (a condition where a program attempts to read from a memory address that is null, typically causing a crash) can be triggered remotely in the Bot API component. The issue exists within the RequestButton() function located in the Telegram/SourceFiles/boxes/url auth box.cpp file, specifically through the manipulation of the login url argument.

Recommendations Update to a version newer than 6.7.5. As a temporary workaround, restrict the use of the RequestButton() function in the Bot API component.