{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25742", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T16:48:00.428Z", "datePublished": "2026-04-03T20:12:07.296Z", "dateUpdated": "2026-04-08T18:53:28.819Z"}, "containers": {"cna": {"title": "Zulip: Anonymous File Access After Disabling Spectator Access", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w"}, {"name": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236"}, {"name": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae"}, {"name": "https://github.com/zulip/zulip/releases/tag/11.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/releases/tag/11.6"}], "affected": [{"vendor": "zulip", "product": "zulip", "versions": [{"version": "< 11.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T20:12:07.296Z"}, "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6."}], "source": {"advisory": "GHSA-f47p-xjqq-g28w", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:53:23.592418Z", "id": "CVE-2026-25742", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:53:28.819Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25742", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T18:53:23.592418Z"}}}], "references": [{"url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:53:18.317Z"}}], "cna": {"title": "Zulip: Anonymous File Access After Disabling Spectator Access", "source": {"advisory": "GHSA-f47p-xjqq-g28w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "zulip", "product": "zulip", "versions": [{"status": "affected", "version": "< 11.6"}]}], "references": [{"url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "name": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236", "name": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae", "name": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zulip/zulip/releases/tag/11.6", "name": "https://github.com/zulip/zulip/releases/tag/11.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T20:12:07.296Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25742", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:53:28.819Z", "dateReserved": "2026-02-05T16:48:00.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T20:12:07.296Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*", "matchCriteriaId": "1599A04E-3187-4BCA-A29C-22595CCB1BA8", "versionEndExcluding": "11.6", "versionStartIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6."}], "id": "CVE-2026-25742", "lastModified": "2026-04-13T18:07:16.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T21:17:10.060", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/zulip/zulip/releases/tag/11.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,11.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zulip", "source": "cna", "vendor": "zulip"}, "product": "zulip", "vendor": "zulip"}], "analysis": {"en": {"generated_at": "2026-04-13T20:07:47.180322+00:00", "value": {"mitigation_remediation": ["Upgrade Zulip to version 11.6 or later", "If an upgrade is not possible immediately, disable spectator access in the server configuration and delete or reclassify any web\u2011public streams", "Verify that anonymous requests to attachment URLs and the \"/users/me/<stream_id>/topics\" endpoint are no longer honored", "Monitor server logs for any unauthorized data retrieval attempts"], "summary": {"action": "Patch", "impact": "Unauthorized data disclosure through anonymous access to attachments and topic history"}, "threat_synthesis": {"affected_systems": "All Zulip deployments running any release between 1.4.0 and 11.5.x are susceptible. The fix is integrated in version 11.6 and any installation of that version or newer is considered secure against this issue. The vulnerability impacts the Zulip collaboration platform regardless of the operating system or hosting model used.", "description_and_impact": "A missing access control check in Zulip versions before 11.6 allows anyone to retrieve attachments that were created in web\u2011public streams even after perpetrating disabling spectator access, and to query the \"/users/me/<stream_id>/topics\" endpoint anonymously. The flaw exposes the contents of those files and the full conversation history stored on public streams to unauthenticated parties. This is an authorization bypass (CWE\u2011862) that compromises confidentiality of user data rather than system integrity or availability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild; the vulnerability is not present in the CISA KEV catalog. The likely attack vector is the act of an unauthenticated user sending straightforward HTTP GET requests to the affected attachment URLs or the \"/users/me/<stream_id>/topics\" endpoint. No special privileges or credentials are required, and the mechanism exploits a missing permission check on server\u2011side route handlers. While the impact is limited to leaking confidential data rather than executing code, the ease of access warrants prompt remediation."}}}}, "created": "2026-04-06T21:22:53.789337+00:00", "updated": "2026-04-14T16:41:47.474315+00:00", "vendors": ["zulip", "zulip$PRODUCT$zulip"]}