CVE-2026-25742
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/04/2026
Last modified:
13/04/2026
Description
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me//topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:* | 1.4.0 (including) | 11.6 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236
- https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae
- https://github.com/zulip/zulip/releases/tag/11.6
- https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w
- https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w