CVE-2026-23866: Improper Verification of Source of a Communication Channel (CWE-940) in Facebook WhatsApp for Android
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
AI Analysis
Technical Summary
This vulnerability (CWE-940) in WhatsApp for Android versions 2.25.8.0 to 2.26.7.10 arises from incomplete validation of AI rich response messages related to Instagram Reels. It could enable an attacker to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-level custom URL scheme handlers. The issue affects both WhatsApp for Android and iOS but the focus here is on Android. The vendor has released an official fix to address this issue.
Potential Impact
The vulnerability allows limited impact: an attacker could cause a victim's device to process media content from arbitrary URLs, which might trigger OS-level custom URL scheme handlers. The CVSS score is 4.3 (medium), indicating low confidentiality impact, no integrity or availability impact, and requiring low privileges but no user interaction. No evidence of exploitation in the wild has been observed.
Mitigation Recommendations
An official fix is available from the vendor. Users and administrators should apply the latest WhatsApp updates beyond version 2.26.7.10 on Android to remediate this vulnerability. Since the vendor has provided an official fix, applying this update is the recommended mitigation.
CVE-2026-23866: Improper Verification of Source of a Communication Channel (CWE-940) in Facebook WhatsApp for Android
Description
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
CVSS v3.1
Score 4.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CWE-940) in WhatsApp for Android versions 2.25.8.0 to 2.26.7.10 arises from incomplete validation of AI rich response messages related to Instagram Reels. It could enable an attacker to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-level custom URL scheme handlers. The issue affects both WhatsApp for Android and iOS but the focus here is on Android. The vendor has released an official fix to address this issue.
Potential Impact
The vulnerability allows limited impact: an attacker could cause a victim's device to process media content from arbitrary URLs, which might trigger OS-level custom URL scheme handlers. The CVSS score is 4.3 (medium), indicating low confidentiality impact, no integrity or availability impact, and requiring low privileges but no user interaction. No evidence of exploitation in the wild has been observed.
Mitigation Recommendations
An official fix is available from the vendor. Users and administrators should apply the latest WhatsApp updates beyond version 2.26.7.10 on Android to remediate this vulnerability. Since the vendor has provided an official fix, applying this update is the recommended mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Meta
- Date Reserved
- 2026-01-16T19:49:26.309Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- official-fix
Threat ID: 69f4d323cbff5d861010f924
Added to database: 5/1/2026, 4:21:55 PM
Last enriched: 5/1/2026, 4:36:32 PM
Last updated: 6/15/2026, 5:03:16 PM
Views: 138
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.