CVE-2021-27351
Description
The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Telegram's Terminate Session feature fails to invalidate recently active sessions, allowing continued access after termination.
Vulnerability
Vulnerability in Telegram's Terminate Session feature: after a user terminates a session, the session token is not properly invalidated if the session was recently active. Affected: Telegram Android through 7.2.1, and Telegram Desktop (Windows, UNIX) through 2.4.7 [1][2].
Exploitation
An attacker who gains access to a session token (e.g., via physical access or malware) can continue to use it even after the legitimate user triggers Terminate Session, as long as the session was active recently. No additional authentication required.
Impact
Successful exploitation allows an attacker to maintain unauthorized access to the victim's Telegram account, potentially reading messages, sending messages, and accessing account settings, bypassing the intended security of session termination.
Mitigation
Upgrade to Telegram Android 7.2.2+ or Telegram Desktop 2.4.11+ [2]. Gentoo users can emerge the fixed versions as per GLSA 202105-07 [2]. No known workaround exists.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Telegram/Telegramdescription
- Range: <=7.2.1 (Android), <=2.4.7 (Windows/UNIX)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- security.gentoo.org/glsa/202105-07mitrevendor-advisoryx_refsource_GENTOO
- 0ffsecninja.github.io/Telegram:CVE-2021-2735.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.