CVE-2026-26058
Path Traversal in Zulip Import Allows Arbitrary File Disclosure
Publication date: 2026-04-03
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zulip | zulip | From 1.4.0 (inc) to 11.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Zulip, an open-source team collaboration tool, in versions from 1.4.0 up to but not including 11.6. The issue occurs during the import process using the ./manage.py import command, which reads files from the server filesystem. Due to a path traversal flaw in the uploads/records.json file, a crafted export tarball can cause the server to copy any file that the zulip user has read access to into the uploads directory during import.
This means an attacker who can create a malicious export tarball can trick the server into exposing arbitrary files from its filesystem.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive files on the server because an attacker can cause the server to copy arbitrary readable files into the uploads directory. This could expose confidential information, such as configuration files, credentials, or other sensitive data accessible by the zulip user.
The CVSS score of 6.1 indicates a medium severity impact, with high confidentiality impact, low integrity impact, and no availability impact.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Zulip version 11.6. To mitigate this vulnerability, you should upgrade your Zulip installation to version 11.6 or later.