Telegram Zero-Click RCE Claim Sparks Security Fears as Telegram Denies Animated Sticker Exploit
A newly disclosed Telegram vulnerability is raising serious concern across the security community after researchers said it could allow zero-click remote code execution on affected devices simply by sending a malicious animated sticker. The issue is tracked as ZDI-CAN-30207 and was listed by the Zero Day Initiative on March 26, 2026, with a public disclosure date of July 24, 2026.
According to public reporting that cites the researcher’s disclosure, the flaw was found by Michael DePlante (@izobashi) of TrendAI Zero Day Initiative and affects Telegram on Android and Linux. The reported attack path is especially alarming because it allegedly requires no user interaction. A crafted animated sticker would be enough to trigger code execution during Telegram’s automatic media processing and preview generation flow.
That makes the case notable even before full technical details are available. Zero Day Initiative has not published exploit specifics, a common practice when a vendor still has time left in the disclosure window. The ZDI listing currently shows the Telegram issue as an upcoming advisory and rates it CVSS 7.0, while some secondary reports have described it as 9.8. That mismatch means defenders should be careful not to overstate what has been independently confirmed so far.
The other reason the story matters is that Telegram is disputing the claim. Italy’s National Cybersecurity Agency, ACN, said Telegram formally denied the existence of the reported zero-click flaw and argued that the attack should be technically impossible because all uploaded stickers are validated server-side before being delivered to client applications. According to ACN’s summary of Telegram’s position, this centralized filtering prevents malformed stickers from being used as an attack vector.
That leaves the security community in an unusual but important position: there is a public ZDI disclosure entry and third-party reporting describing a zero-click RCE path, but the vendor is explicitly rejecting the existence of the bug. Until either a patch, deeper technical proof, or a more detailed vendor explanation appears, the issue remains partly verified and partly contested.
If the researcher’s claims are accurate, the implications are severe. A zero-click code execution vulnerability in Telegram could let an attacker gain control of a target device without needing the victim to open a file, tap a link, or approve any prompt. In practical terms, that could mean account compromise, data theft, surveillance, or wider device takeover from what appears to be an ordinary inbound sticker. This paragraph is an inference based on the claimed impact of zero-click RCE, not a confirmed statement that such exploitation is occurring in the wild.
At the moment, there is no public evidence of in-the-wild exploitation, and ZDI has withheld technical details to give Telegram time to respond before the July 24 disclosure deadline. That means the immediate risk picture is still incomplete. It also means defenders have very little to validate independently beyond the existence of the disclosure, the claimed attack vector, and Telegram’s denial.
One mitigation that has been publicly highlighted applies to Telegram Business users. ACN said those users can reduce exposure by limiting incoming messages from new contacts through Settings → Privacy and Security → Messages, restricting delivery to saved contacts or Premium users only. That is not a fix for the underlying claim, but it may reduce unsolicited attack surface while the dispute remains unresolved.
The broader lesson is that messaging platforms remain prime zero-click targets because they automatically parse rich content at scale and sit at the center of personal and professional communications. Whether this Telegram issue ultimately proves to be exploitable, mischaracterized, or fully invalid, the public dispute itself shows how high the stakes have become once a vulnerability claim involves media parsing and silent device compromise.
Reference Links and Sources
