CVE-2026-40300
Zulip: Message edit history visible in "moves only" policy through /api/v1/messages/{id}/history
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.
| CWE | CWE-284 |
| Vendor | zulip |
| Product | zulip |
| Published | May 12, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for zulip zulip
Be the first to know when new unknown vulnerabilities affecting zulip zulip are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
zulip / zulip
< 12.0