CVE-2026-25742

MEDIUM 5.3

Zulip: Anonymous File Access After Disabling Spectator Access

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

9th

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.

CWE	CWE-862
Vendor	zulip
Product	zulip
Published	Apr 3, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for zulip zulip

Be the first to know when new medium vulnerabilities affecting zulip zulip are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

zulip / zulip

< 11.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w github.com: https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236 github.com: https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae github.com: https://github.com/zulip/zulip/releases/tag/11.6