Telegram has rejected claims of a critical zero click flaw that allegedly allows attackers to take over devices through malicious animated stickers.
Quick Summary – TLDR:
- A critical vulnerability with a CVSS score of 9.8 was reported via Trend Micro Zero Day Initiative.
- Researchers claim zero click remote code execution via animated stickers.
- Telegram strongly denies the flaw, citing server side validation protections.
- No technical details released yet, full disclosure expected in July 2026.
What Happened?
A newly reported vulnerability suggests that Telegram users could be exposed to a zero-click attack through animated stickers, but the company insists the flaw does not exist. The issue has triggered debate between security researchers and Telegram, with limited technical details available so far.
👀👀👀 https://t.co/yAYyfyBsC3 pic.twitter.com/flxPC8ZUSX
— TrendAI Zero Day Initiative (@thezdi) March 26, 2026
Conflicting Claims Around a Critical Vulnerability
The controversy began when a vulnerability tracked as ZDI CAN 30207 was disclosed through the Trend Micro Zero Day Initiative. The flaw was assigned a CVSS score of 9.8, indicating a highly severe risk.
Security researcher Michael DePlante is credited with the discovery. According to early reports, the vulnerability could allow attackers to execute code on a target device simply by sending a specially crafted animated sticker.
What makes this claim particularly concerning is that the attack is described as zero-click, meaning:
- No user interaction is required.
- No need to open files or click links.
- Code execution could happen automatically upon receiving the sticker.
Experts warn that such an exploit could grant attackers full access to messages, contacts, and active sessions, effectively leading to complete device takeover.
Telegram Pushes Back Strongly
Telegram has firmly rejected the claims, stating that the described attack is not technically possible under its system design.
In a public response, the company said:
This flaw does not exist. This researcher falsely claims that a corrupted Telegram sticker could be used as an attack vector — which completely disregards that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps.
— Telegram Messenger (@telegram) March 29, 2026
The company emphasized its server side validation process, explaining that:
- All sticker files are checked before delivery.
- Malformed or malicious files are blocked at the server level.
- Clients never process unverified sticker content.
According to Telegram, this architecture prevents any possibility of executing malicious code through stickers.
Who Could Be Affected?
Despite Telegram’s denial, reports suggest that the alleged vulnerability targets:
If real, the flaw could impact both individual users and organizations relying on Telegram for communication.
The Italian National Cybersecurity Agency also issued an alert highlighting the potential severity. It stated that such an exploit could allow attackers to gain control of devices without any visible signs to the user.
No Technical Details Yet
One key challenge is the lack of publicly available technical information. The Zero Day Initiative has withheld full details to allow time for investigation and possible fixes before the planned disclosure in July 2026.
This means:
- The vulnerability cannot yet be independently verified.
- No indicators of compromise are available.
- It is unclear whether the flaw has been exploited in real world attacks.
Precautionary Measures for Users
Until more clarity emerges, cybersecurity experts recommend a cautious approach.
Suggested steps include:
- Keep Telegram apps updated to the latest version.
- Avoid interacting with unknown contacts.
- Limit incoming messages to trusted users where possible.
- Consider using web versions in modern browsers for added isolation.
Organizations using Telegram for business communication are also advised to restrict message access to known contacts or verified users.
SQ Magazine’s Takeaway
I think this situation highlights a growing tension between security researchers and tech platforms. On one side, you have a serious claim backed by a high severity score. On the other, Telegram is confidently saying the flaw is impossible. That kind of direct contradiction is rare and worth watching closely.
Until full details are released, I would not ignore this. Even if the flaw turns out to be overstated, the idea of a zero-click attack through everyday features like stickers is a reminder of how creative modern threats have become. Staying cautious right now is the smartest move.