CVE-2026-25741
Received Received - Intake
Authorization Bypass in Zulip Cloud Allows Payment Method Changes

Publication date: 2026-02-26

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-02-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25741
EUVD
EUVD-2026-8893
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zulip zulip to bf28c82dc9b1f630fa8e9106358771b20a0040f7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Immediate steps include ensuring that your Zulip Cloud deployment is updated to include this patch.

Self-hosted deployments are not affected and do not require any patch or upgrade.


Can you explain this vulnerability to me?

This vulnerability exists in Zulip, an open-source team collaboration tool. Before a specific patch, the API endpoint that creates a card update session during an upgrade flow was accessible to users with only organization member privileges, not just billing administrators.

When a Stripe Checkout session completes, a Stripe webhook updates the organization's default payment method. Because there was no billing-specific authorization check, any regular organization member (not just billing admins) could change the organization's payment method.

This issue affected the Zulip Cloud payment processing system and has been fixed in a patch. Self-hosted deployments were not affected and do not require any upgrade.


How can this vulnerability impact me? :

This vulnerability allows any organization member, even those without billing privileges, to change the organization's default payment method via the Stripe integration.

The impact includes unauthorized modification of payment details, which could lead to billing disruptions, financial fraud, or misuse of the organization's payment information.

Because the vulnerability does not affect confidentiality but impacts integrity and availability of billing information, it could cause financial and operational issues for the organization.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart