Description
Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.
Published: 2026-04-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read arbitrary server files
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a path traversal flaw (CWE‑22) in the Zulip import feature. When an export tarball is imported, the server processes the uploads/records.json file without sanitizing file paths. An attacker can craft a tarball that references files outside the intended directory, causing the Zulip process, which runs under the zulip user, to copy any readable file into the uploads directory. The result is unauthorized disclosure of arbitrary server files.

Affected Systems

All releases of Zulip from version 1.4.0 up to, but not including, 11.6 are affected. The flaw is triggered by the ./manage.py import command or the web interface that performs the same import operation. Any installation that allows import of export tarballs is vulnerable. The issue was fixed in Zulip 11.6.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to supply a crafted import tarball and trigger the import, typically available to administrators or authenticated users with import privileges. Once successful, the attacker can read any file that the zulip user can access, potentially revealing sensitive configuration data or credentials, which could facilitate further attacks.

Generated by OpenCVE AI on April 3, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zulip to version 11.6 or newer.
  • Restrict the import endpoint to trusted users or networks.

Generated by OpenCVE AI on April 3, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Zulip
Zulip zulip
Vendors & Products Zulip
Zulip zulip

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.
Title Zulip: Path Traversal in Import
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Zulip Zulip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T13:11:57.089Z

Reserved: 2026-02-10T18:01:31.899Z

Link: CVE-2026-26058

cve-icon Vulnrichment

Updated: 2026-04-06T13:11:52.739Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T21:17:10.230

Modified: 2026-04-22T18:17:00.207

Link: CVE-2026-26058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:13Z

Weaknesses