CVE-2026-25742
Received Received - Intake
Unauthorized Access in Zulip Allows Anonymous Attachment and Topic Retrieval

Publication date: 2026-04-03

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25742
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zulip zulip From 1.4.0 (inc) to 11.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows anonymous retrieval of attachments and topic history from web-public streams even after spectator access is disabled. This could lead to unauthorized access to potentially sensitive information.

Such unauthorized access to data may impact compliance with data protection regulations like GDPR and HIPAA, which require controlling access to personal and sensitive information.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Executive Summary

This vulnerability affects Zulip, an open-source team collaboration tool, in versions from 1.4.0 up to but not including 11.6. Even when spectator access is disabled, attachments from web-public streams can still be accessed anonymously. Additionally, the endpoint that provides topic history for web-public streams remains accessible without authentication. This means that files and topic histories intended to be private after disabling public access remain exposed.

Impact Analysis

The vulnerability allows unauthorized users to access attachments and topic histories from web-public streams even after public access has been disabled. This can lead to unintended information disclosure, where sensitive or confidential files and discussions may be viewed by anonymous users without permission.

Mitigation Strategies

To mitigate this vulnerability, upgrade Zulip to version 11.6 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25742. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart