Telegram has publicly denied the existence of a high-severity vulnerability reportedly affecting its messaging platform, pushing back against claims tied to an upcoming disclosure from Trend Micro’s Zero Day Initiative (ZDI).
The company insists that the alleged attack vector, allegedly malicious Telegram stickers, is not technically feasible under its current security model.
In a statement posted on X, Telegram dismissed the report, stating: “This flaw does not exist. This researcher falsely claims that a corrupted Telegram sticker could be used as an attack vector — which completely disregards that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps.” The company emphasized that its server-side validation mechanisms prevent malformed or malicious sticker files from reaching users.
The denial comes in response to a scheduled advisory, tracked as ZDI-CAN-30207, for a flaw discovered by security researcher Michael DePlante, known online as @izobashi, and submitted through Trend Micro’s Zero Day Initiative. According to the ZDI entry, the vulnerability carries a CVSS score of 9.8, indicating critical severity, though no technical details have been publicly disclosed yet. The advisory was published on March 26, 2026, with full disclosure expected on July 24, 2026.
The Zero Day Initiative is a well-known vulnerability disclosure program operated by Trend Micro, which works with independent researchers to identify and responsibly disclose security flaws in widely used software and services. While ZDI listings often provide limited information ahead of coordinated disclosure dates, the assigned severity score suggests that the issue, if confirmed, could allow for significant impact, potentially including remote code execution or similar high-risk outcomes.
Telegram, a cloud-based messaging platform with hundreds of millions of active users worldwide, has long marketed itself as a privacy-focused service with strong encryption and security features. Its sticker system, a popular feature among users, relies on server-side processing and validation to ensure compatibility and safety across clients.
At this stage, the absence of technical details makes it difficult to independently verify either claim. Telegram’s categorical denial contrasts with ZDI’s classification of the issue as critical, setting the stage for closer scrutiny when full details are released later this year.
Until more information becomes available, users should ensure they are running the latest version of Telegram and apply standard security practices, including avoiding unofficial clients or modified apps that may bypass built-in protections. Also, be aware of stickers sent by unknown contacts.
Leave a Reply