Pending AnalysisCVE-2026-23863

CVE-2026-23863: Attachment Spoofing in WhatsApp Desktop

Platform

android

Component

Fixed in

2.3000.1032164386.258709

CVE-2026-23863 describes an attachment spoofing vulnerability affecting WhatsApp Desktop for Windows. This flaw allows attackers to craft documents with embedded NUL bytes in the filename, tricking the application into displaying them as a different file type while still executing malicious code when opened. The vulnerability impacts versions 2.3000.0.0 through 2.3000.1032164386.258709, and a patch is available in version 2.3000.1032164386.258709.

Android / Gradle

Detect this CVE in your project

Upload your build.gradle file and we'll tell you instantly if you're affected.

Upload build.gradle

Impact and Attack Scenarios

The primary impact of this vulnerability lies in the potential for remote code execution. An attacker could craft a seemingly harmless document (e.g., a PDF or image) and embed NUL bytes within the filename. When a user opens this document in WhatsApp Desktop, the application might display it as a safe file type, but the embedded executable code will be triggered. This could lead to arbitrary code execution on the victim's machine, allowing the attacker to install malware, steal data, or gain control of the system. The blast radius is limited to users who receive and open the malicious attachment via WhatsApp Desktop.

Exploitation Context

This vulnerability was published on May 1, 2026, and has not been listed on KEV or EPSS as of this writing. The EPSS score is likely low given the lack of observed exploitation and the client-side nature of the vulnerability. No public proof-of-concept (POC) code is currently available. The NVD and CISA have not yet published advisories related to this CVE.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.01% (1% percentile)

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: None — no availability impact. Service remains fully operational.

Affected Software

Componentwhatsapp

VendorFacebook

Minimum version2.3000.0.0

Maximum version2.3000.1032164386.258709

Fixed in2.3000.1032164386.258709

Weakness Classification (CWE)

CWE-158

Timeline

Published2026-05-01
EPSS updated2026-05-09

Mitigation and Workarounds

The primary mitigation for CVE-2026-23863 is to upgrade WhatsApp Desktop for Windows to version 2.3000.1032164386.258709 or later. Since this is a client-side vulnerability, there are no immediate server-side mitigations. Users should be educated about the risks of opening attachments from untrusted sources, even if they appear to be benign. While no exploitation in the wild has been observed, implementing stricter file type validation on the receiving end (if possible) could provide an additional layer of defense. There are no specific WAF or proxy rules applicable to this client-side vulnerability.

How to fix

Actualice WhatsApp Desktop para Windows a la versión 2.3000.1032164386.258709 o superior para mitigar el riesgo de spoofing de archivos.  Esta actualización corrige la forma en que la aplicación maneja los nombres de archivo, evitando que archivos maliciosos se ejecuten bajo una falsa identidad.  Descargue la última versión desde el sitio web oficial de WhatsApp.

Frequently asked questions

What is CVE-2026-23863 — attachment spoofing in WhatsApp Desktop?

CVE-2026-23863 is a vulnerability in WhatsApp Desktop for Windows allowing attackers to disguise malicious documents as safe files, potentially leading to code execution.

Am I affected by CVE-2026-23863 in WhatsApp Desktop?

You are affected if you are using WhatsApp Desktop for Windows versions 2.3000.0.0–2.3000.1032164386.258709 and have not upgraded.

How do I fix CVE-2026-23863 in WhatsApp Desktop?

Upgrade WhatsApp Desktop for Windows to version 2.3000.1032164386.258709 or later to resolve the vulnerability.

Is CVE-2026-23863 being actively exploited?

As of the current assessment, there is no evidence of CVE-2026-23863 being actively exploited in the wild.

Where can I find the official WhatsApp advisory for CVE-2026-23863?

Refer to the official WhatsApp security advisory for CVE-2026-23863, which can be found on the WhatsApp Security website.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

Android / Gradle

Detect this CVE in your project

Upload your build.gradle file and we'll tell you instantly if you're affected.

Upload build.gradle

livefree scan

Scan your Android / Gradle project now — no account

Upload your build.gradle and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files