WhatsApp AI Rich Resp Remote Media Trigger v2.252.26.15 (iOS/Android)
CVE-2026-23866 Published on May 1, 2026
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another users device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
Weakness Type
Improper Verification of Source of a Communication Channel
The software establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality.
Affected Versions
Facebook WhatsApp for Android:- Version 2.25.8.0 and below 2.26.7.10 is affected.
- Version 2.25.8.0 and below 2.26.15.72 is affected.