Ok, lil heads up here for Telegram users:

Sounds like a 9.8 CVSS vulnerability in Telegram that may allows for zero-click remote code execution was discovered yesterday.

Very little info, but until we know more, disable automatic downloads on all your devices with TG installed.

March 28, 2026 - 02:09 UTC

16
34
510
Has it been identified which versions of Telegram are affected yet?
0
0
0
thanks for this, where is the option for it?
1
0
0
found it, in advanced > automatic media download. does this vuln affect images as well?
1
0
6
"Telegram"
How can some guy identify an issue, without specifying what is actually affected? Library?
I'm on TGX, which is always kinda outdated, but I like the UI.
Hate AI garbo corps.
Also stickers and profile pics always 'auto-download' - what does it affect?
Isn't Android sandboxed and stuff?
0
0
1
What are you basing any of these claims on other than it being a 9.8? NOTHING in the TrendMicro post (which you can find here: www.zerodayinitiative.com/advisories/upcoming/, just put 30207 in the search) mentions anything about what you've said. Sources for ANY of this?
0
0
10
Is this why telegram was acting strange for the past week? I did perform the most recent updates so
0
0
0
Like I said, there's VERY little info right now other than it's a 9.8 on the CVSS and it can be defeated by disabling automatic media downloads.

Given it's a 9.8, I'm guessing there's some RCE/root capabilities here, so take appropriate measures for now.
3
0
43
CVE-2020-19909 is about a CURL bug where "retry-delay" wraps around if you ask for a delay in the billions of years range.
It was also given a 9.8 severity rating, despite not being a security risk and being fixed 4 years before.
So the number could mean nothing
daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/
1
0
0
Someone also stated that there's zero user interaction required for a total system hijack, which does directly imply root or RCE capabilities.
4
0
33
potentially yes, it doesn't seem to specify mobile vs desktop client.

if I had to make a wild guess I'd say something with the media processing pipeline having a buffer overflow or similar memory corruption vuln which causes undefined behavior.
1
0
1
Telegram's twitter seems to be replying to people bringing it up and denying the report's validity, should we be giving them the time of day on this or is this something a company could/would say even if the issue was real?
1
0
1
This is me genuinely asking, btw, saw you've gotten some people being annoying about it
0
0
0
I disabled this setting on Telegram years ago after a bunch of trolls flooded a chat I was in with a ton of c---d p--n, and Telegram gleefully proceeded to AUTOMATICALLY SAVE IT ALL TO MY COMPUTER without me even knowing. That alone is reason enough to turn that feature off.
2
0
10
New fear unlocked, holy shit wtf.
1
0
1
Do you still see images when
in a chat without clicking on them?
1
0
3
I don't understand why any program would have automatic downloads on by default. It just seems obvious to always ask the user to confirm they want to download something, rather than just accepting any files sent automatically.
1
0
9
As a reminder, everything you see on social media is being "automatically downloaded". This isn't about it auto downloading an exe. It's about potentially the funny image posted in chat being malicious. Here, have an image of a bunny I saw.
1
0
33
And deleting your user name for the time being also helps.
0
0
0
Done. Thanks for the heads up.
0
0
1
Linking this here as a good REAL explanation of the current situation.
0
0
6
Patching schedule needs to be tighter than this.
1
0
2
The 'details released' date is not the 'patched on' date, it'll be patched WAAAY sooner.
0
0
3
Does this affect iOS and Linux users at all?
0
0
0
Telegrams that come with an ass whooping
0
0
0
Wow, the guy behind this is intensely legit. Excited (/terrified) to see what this is gonna be.
2
0
17
Wait did they rebrand to TrendAI?
1
0
2
Thank You for your ap-purr-aisal
0
0
0