CVE-2026-25741

HIGH 7.1

Zulip Vulnerable to Modification of Payment Method (Stripe Default Card) by Non-Billing Users

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.

CWE	CWE-863
Vendor	zulip
Product	zulip
Published	Feb 26, 2026
Last Updated	Mar 3, 2026

Stay Ahead of the Next One

Get instant alerts for zulip zulip

Be the first to know when new high vulnerabilities affecting zulip zulip are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected Versions

zulip / zulip

< bf28c82dc9b1f630fa8e9106358771b20a0040f7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/zulip/zulip/security/advisories/GHSA-vhhx-84f7-rc8j github.com: https://github.com/zulip/zulip/commit/bf28c82dc9b1f630fa8e9106358771b20a0040f7