Description
Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.
Published: 2026-02-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Payment Method Modification
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows users with only organization member privileges to access an API endpoint that initiates a card update session. When a Stripe Checkout session is completed, a webhook updates the organization’s default payment method without enforcing billing‑specific authorization. Because the access control is bypassed, a regular member can change the default card on the organization’s account. This creates a financial risk by enabling unauthorized changes to billing information and is categorized as CWE‑863, an authorization bypass weakness.

Affected Systems

The affected product is Zulip, an open‑source team collaboration tool. Versions deployed before the commit identified by bf28c82dc in the Zulip repository are vulnerable. Self‑hosted installations are no longer affected after this commit, and no additional patch is required for those deployments.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker would need legitimate organization membership and access to the API; the attack vector is internal or through legitimate user credentials, making the exploitation likely if credentials are compromised or reused. Monitoring account changes and restricting API permissions are advisable until the patch is deployed.

Generated by OpenCVE AI on April 16, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Zulip software to the commit bf28c82dc or a later release that includes the fix.
  • In Zulip Cloud, verify that only billing‑role users or higher have access to the card update endpoint and remove any unintended permissions.
  • Review the organization’s user roles and ensure that only authorized billing personnel are granted billing staff privileges.

Generated by OpenCVE AI on April 16, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Zulip
Zulip zulip
Vendors & Products Zulip
Zulip zulip

Thu, 26 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.
Title Zulip Vulnerable to Modification of Payment Method (Stripe Default Card) by Non-Billing Users
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Zulip Zulip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T20:37:43.113Z

Reserved: 2026-02-05T16:48:00.428Z

Link: CVE-2026-25741

cve-icon Vulnrichment

Updated: 2026-03-03T20:37:38.261Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T22:20:46.170

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses