CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31478 – Zulip Authentication Backend Configuration Bypass
https://notcve.org/view.php?id=CVE-2025-31478
16 Apr 2025 — Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being required to join, but has disabled the EmailAuthBackend that is used for email/password authentication. A bug in the Zulip server means that it is possible to create an account in such organizations, without having an acc... • https://github.com/zulip/zulip/security/advisories/GHSA-qxfv-j6vg-5rqc • CWE-287: Improper Authentication •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30369 – Zulip allows the deletion of Custom profile fields by administrators of a different organization
https://notcve.org/view.php?id=CVE-2025-30369
31 Mar 2025 — Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete custom profile fields belonging to a different organization. This is fixed in Zulip Server 10.1. • https://github.com/zulip/zulip/security/advisories/GHSA-fcgx-q63f-7gw4 • CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30368 – Zulip allows the deletion of organization by administrators of a different organization
https://notcve.org/view.php?id=CVE-2025-30368
31 Mar 2025 — Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete an export of a different organization. This is fixed in Zulip Server 10.1. • https://github.com/zulip/zulip/commit/07dcee36b2a34d63429d7a706f880628cf3433df • CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27149 – Zulip exports can leak private data
https://notcve.org/view.php?id=CVE-2025-27149
31 Mar 2025 — Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization administrators feature in Zulip leaks private data. The collection of user-agent types identifying specific integrations or HTTP libraries (E.g., ZulipGitlabWebhook, okhttp, or PycURL) that have been used to access any organization on the server was incorrectly included in all three export types, regardless of if they were used to access the exported organization or not... • https://github.com/zulip/zulip/security/advisories/GHSA-358p-x39m-99mm • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56136 – /api/v1/jwt/fetch_api_key endpoint can leak if an email address has an account in Zulip server
https://notcve.org/view.php?id=CVE-2024-56136
16 Jan 2025 — Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and determine if an email address is in use by a user. Zulip Server 9.4 resolves the issue, as does the `main` branch of Zulip Server. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/zulip/zulip/commit/c6334a765b1e6d71760e4a3b32ae5b8367f2ed4d • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27286 – Moving single messages from public to private streams leaves them accessible
https://notcve.org/view.php?id=CVE-2024-27286
20 Mar 2024 — Zulip is an open-source team collaboration. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a public stream to a private stream, Zulip would successfully move the message, -- but active users who did not have access to the private stream, but whose client had already received the message, would continue to see the message in the p... • https://github.com/zulip/zulip/commit/3db1733310ddd944c2e690ba673232345c928eec • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28623 – Unauthorized user can register an account in specific configurations in Zulip
https://notcve.org/view.php?id=CVE-2023-28623
19 May 2023 — Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organiz... • https://github.com/zulip/zulip/commit/3df1b4dd7c210c21deb6f829df19412b74573f8d • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32677 – Users who can send invitations can erroneously add users to streams during invitation in Zulip
https://notcve.org/view.php?id=CVE-2023-32677
19 May 2023 — Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in... • https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36048 – IP address leak via image proxy bypass in Zulip Server
https://notcve.org/view.php?id=CVE-2022-36048
31 Aug 2022 — Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Se... • https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452 • CWE-436: Interpretation Conflict •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35962 – Crafted link in Zulip message can cause disclosure of credentials
https://notcve.org/view.php?id=CVE-2022-35962
29 Aug 2022 — Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted link in a message sent by an authenticated user could lead to credential disclosure if a user follows the link. A patch was released in version 27.190. Zulip es un equipo de chat de código abierto y Zulip Mobile es una aplicación para usuarios de iOS y Android. En Zulip Mobile versiones hasta 27.189, un enlace diseñado en un mensaje enviado por un usuario autenticado podí... • https://blog.zulip.com/2022/08/24/zulip-server-5-6-security-release • CWE-184: Incomplete List of Disallowed Inputs CWE-436: Interpretation Conflict CWE-697: Incorrect Comparison •