Medium severity4.3NVD Advisory· Published May 1, 2026· Updated May 11, 2026

CVE-2026-23866

Description

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.

Affected products

Whatsapp/Whatsapp2 versions
cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*+ 1 more
- cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*range: >=2.25.8.0,<=2.26.7.10
- cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:iphone_os:*:*range: >=2.25.8.0,<=2.26.15.72

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.facebook.com/security/advisories/cve-2026-23866nvdThird Party Advisory
www.whatsapp.com/security/advisories/2026nvdVendor Advisory

News mentions

Meta’s confusing new approach to chat privacy
Malwarebytes Labs · May 15, 2026
WhatsApp adds Incognito Chat for private Meta AI conversations
Help Net Security · May 13, 2026
Apple, Google drag cross-platform texting into the encrypted age
The Register Security · May 12, 2026
BWH Hotels guests warned after reservation data checks out with cybercrooks
The Register Security · May 11, 2026
A week in security (May 4 – May 10)
Malwarebytes Labs · May 11, 2026
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
The Hacker News · May 8, 2026
Meta U-turns on encryption push for Instagram as DMs go plaintext
The Register Security · May 8, 2026
New TCLBanker malware self-spreads over WhatsApp and Outlook
BleepingComputer · May 7, 2026
Update WhatsApp now: Two new flaws could expose you to malicious files
Malwarebytes Labs · May 5, 2026
WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities
SecurityWeek · May 5, 2026
Meta adds proof-based security to encrypted backups
Help Net Security · May 5, 2026
The Good, the Bad and the Ugly in Cybersecurity – Week 18
SentinelOne Labs · May 1, 2026
Risky Business #835 -- Why the Fast16 malware is badass
Risky Business · Apr 29, 2026
20th April – Threat Intelligence Report
Check Point Research · Apr 20, 2026
The Good, the Bad and the Ugly in Cybersecurity – Week 16
SentinelOne Labs · Apr 17, 2026
6th April – Threat Intelligence Report
Check Point Research · Apr 6, 2026
Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
Krebs on Security · Mar 11, 2026
Risky Business #828 -- The Coruna exploits are truly exquisite
Risky Business · Mar 11, 2026
How AI Assistants are Moving the Security Goalposts
Krebs on Security · Mar 8, 2026

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000