CVE-2026-25742
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/04/2026
Last modified:
08/04/2026
Description
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me//topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236
- https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae
- https://github.com/zulip/zulip/releases/tag/11.6
- https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w
- https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w