Description
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure through anonymous access to attachments and topic history
Action: Patch
AI Analysis

Impact

A missing access control check in Zulip versions before 11.6 allows anyone to retrieve attachments that were created in web‑public streams even after perpetrating disabling spectator access, and to query the "/users/me/<stream_id>/topics" endpoint anonymously. The flaw exposes the contents of those files and the full conversation history stored on public streams to unauthenticated parties. This is an authorization bypass (CWE‑862) that compromises confidentiality of user data rather than system integrity or availability.

Affected Systems

All Zulip deployments running any release between 1.4.0 and 11.5.x are susceptible. The fix is integrated in version 11.6 and any installation of that version or newer is considered secure against this issue. The vulnerability impacts the Zulip collaboration platform regardless of the operating system or hosting model used.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild; the vulnerability is not present in the CISA KEV catalog. The likely attack vector is the act of an unauthenticated user sending straightforward HTTP GET requests to the affected attachment URLs or the "/users/me/<stream_id>/topics" endpoint. No special privileges or credentials are required, and the mechanism exploits a missing permission check on server‑side route handlers. While the impact is limited to leaking confidential data rather than executing code, the ease of access warrants prompt remediation.

Generated by OpenCVE AI on April 13, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zulip to version 11.6 or later
  • If an upgrade is not possible immediately, disable spectator access in the server configuration and delete or reclassify any web‑public streams
  • Verify that anonymous requests to attachment URLs and the "/users/me/<stream_id>/topics" endpoint are no longer honored
  • Monitor server logs for any unauthorized data retrieval attempts

Generated by OpenCVE AI on April 13, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Zulip
Zulip zulip
Vendors & Products Zulip
Zulip zulip

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.
Title Zulip: Anonymous File Access After Disabling Spectator Access
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Zulip Zulip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:53:28.819Z

Reserved: 2026-02-05T16:48:00.428Z

Link: CVE-2026-25742

cve-icon Vulnrichment

Updated: 2026-04-08T18:53:18.317Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T21:17:10.060

Modified: 2026-04-13T18:07:16.917

Link: CVE-2026-25742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:47Z

Weaknesses