CVE-2026-26058
Received Received - Intake
Path Traversal in Zulip Import Allows Arbitrary File Disclosure

Publication date: 2026-04-03

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26058
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zulip zulip From 1.4.0 (inc) to 11.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Zulip, an open-source team collaboration tool, in versions from 1.4.0 up to but not including 11.6. The issue occurs during the import process using the ./manage.py import command, which reads files from the server filesystem. Due to a path traversal flaw in the uploads/records.json file, a crafted export tarball can cause the server to copy any file that the zulip user has read access to into the uploads directory during import.

This means an attacker who can create a malicious export tarball can trick the server into exposing arbitrary files from its filesystem.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive files on the server because an attacker can cause the server to copy arbitrary readable files into the uploads directory. This could expose confidential information, such as configuration files, credentials, or other sensitive data accessible by the zulip user.

The CVSS score of 6.1 indicates a medium severity impact, with high confidentiality impact, low integrity impact, and no availability impact.

Mitigation Strategies

The vulnerability has been patched in Zulip version 11.6. To mitigate this vulnerability, you should upgrade your Zulip installation to version 11.6 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart