Critical Zero-Click Vulnerability Reported in Telegram
Take action: Disable auto-download of media files Settings->Data and Storage->Auto-download media, disable auto-play of media and restrict incoming messages to known contacts (paid feature) until Telegram releases a patch. At least set who can find you on Telegram to nobody until this is patched. The zero-click flaw is very dangerous because it requires no action from your employees to compromise their devices.
Learn More
A researcher reports a critical security flaw in Telegram following the discovery of a zero-click vulnerability that allows remote, unauthenticated attackers to compromise user accounts and run malicious code without any action from the victim.
The flaw was reported to the company on March 26, 2026, by security researcher Michael DePlante.
The vulnerability is tracked as ZDI-CAN-30207 (CVSS score 9.8) — A remote code execution vulnerability in the Telegram messenger that allows unauthenticated attackers to run arbitrary code via a network-based attack. The flaw is triggered when the application processes a specially crafted media file, such as an animated sticker, without requiring any user interaction. Zero-click flaws represent a worst-case scenario for the platform's one billion users, as the attack bypasses traditional security prompts and user interaction requirements.
Security specialists from Positive Technologies and Kaspersky have noted that a working exploit and file generator are already circulating. This suggests that the vulnerability is not just theoretical but a practical tool for account hijacking and surveillance.
The vulnerability primarily affects Telegram users on Android and Linux platforms, but the underlying flaw in media processing may extend to other versions. Telegram has remained silent regarding the discovery, and no official timeline for a fix has been shared with the public. The Zero Day Initiative has set a disclosure deadline of July 24, 2026, to allow the developers time to create and deploy a patch. Until then, the specific technical mechanics of the bug remain restricted to prevent widespread exploitation by malicious actors.
Remediation is currently limited as no official patch exists for the platform. Users are strongly advised to enable automatic updates to receive the fix immediately upon release. In the meantime, reducing the attack surface by restricting who can send messages (unfortunately, that's a premium feature) in the Privacy and Security settings is a critical defensive step. Disabling the automatic download of media files (Settings->Data and Storage->Auto-download media), disabling auto-play can also help prevent the silent processing of malicious stickers that trigger the exploit.
Update - As of 31st of March 2026, ACN contacted Telegram and updated the security notice. Telegram has denied the existence of the vulnerability and says that every sticker uploaded to the platform is validated and scanned on the servers before being distributed to client apps. Telegram claims that the central filtering process prevents the use of malicious stickers. ACN still recommends restricting the reception of messages from new contacts in Telegram and limiting it to one's own address book or premium users in the settings.
