CVE-2021-27204
Description
Telegram before 7.4 (212543) Stable on macOS stores the local passcode in cleartext, leading to information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Telegram for macOS before 7.4 stores the local passcode in cleartext, allowing local attackers to recover the passcode from the file system and bypass the lock screen.
Vulnerability
Telegram for macOS versions prior to 7.4 (212543) Stable stores the application's local passcode in cleartext within a configuration file. The passcode is not encrypted or obfuscated, making it readable by any process or user with access to the file system. This affects the lock screen protection that users may enable on the desktop client. The issue was fixed in version 7.4 (212543) Stable [1].
Exploitation
An attacker with local file system access to a macOS system where Telegram is installed can retrieve the plaintext passcode. No authentication or user interaction is required beyond having the ability to read files from the Telegram application's configuration directory. The attacker can directly examine the file that contains the stored passcode without any special privileges [1].
Impact
Successful exploitation leads to disclosure of the user's local Telegram passcode. An attacker who obtains this passcode can bypass the lock screen and gain access to the Telegram client on that machine, reading messages and media stored locally. The vulnerability does not compromise the Telegram cloud servers or end-to-end encryption, but it negates the local security measure provided by the passcode feature [1].
Mitigation
Users should update Telegram for macOS to version 7.4 (212543) Stable or later, as this version patches the issue. No workaround is available for unpatched versions. Users should ensure the application has been updated via the Mac App Store or Telegram's official website [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Telegram/Telegramdescription
- Range: <7.4 (212543) Stable
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Telegram macOS client stores the user's local passcode in cleartext on disk instead of using encrypted storage or the system keychain."
Attack vector
An attacker with local access to the macOS filesystem can read the Telegram local passcode, which is stored in cleartext [ref_id=1]. No authentication or network access is required beyond the ability to browse the file system of the affected machine. The passcode is intended to protect the application from unauthorized local use, but storing it in plaintext defeats that purpose entirely.
Affected code
The advisory [ref_id=1] states that Telegram for macOS versions before 7.4 (212543) Stable stores the local passcode in cleartext. The specific file or code path where the passcode is persisted is not detailed in the reference write-up.
What the fix does
The advisory [ref_id=1] indicates the vulnerability was patched in Telegram for macOS version 7.4 (212543) Stable, but does not describe the specific remediation. No patch diff is available in the bundle. The fix presumably involves encrypting the local passcode before storage or using the system keychain instead of a cleartext file.
Preconditions
- networkAttacker must have local filesystem access to the macOS machine where Telegram is installed.
- configThe user must have set a local passcode in Telegram.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.inputzero.io/2020/12/telegram-privacy-fails-again.htmlmitrex_refsource_MISC
- www.youtube.com/watchmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.