Zulip allows users to edit messages and configure a policy controlling who can view the edit history. In versions prior to 12.0, setting the policy to "moves" – which should limit visibility to only the user who made the edit – still returns historical content via the /api/v1/messages/{id}/history API endpoint. This flaw permits low‑privilege users to retrieve the original text of messages edited by other users, exposing potentially sensitive or confidential information. The weakness arises from improper authorization controls and is identified as CWE‑284, with an additional unspecified CWE reference (NVD-CWE-noinfo).

The vulnerability affects Zulip, the open‑source team collaboration tool, in all releases before version 12.0. Systems running any pre‑12.0 build of Zulip are impacted regardless of deployment size or operating environment.

The CVSS score of 6.0 indicates a medium severity issue. The EPSS score of <1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires a legitimate Zulip account with at least low privilege, and access to the REST API. An attacker can simply call the /api/v1/messages/{id}/history endpoint for any message ID that a low-privilege user can view, thereby recovering the edited text of other users' messages. The low exploitation probability suggests a moderate risk level, but the confidentiality impact warrants prompt remediation.