{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25742", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T16:48:00.428Z", "datePublished": "2026-04-03T20:12:07.296Z", "dateUpdated": "2026-04-08T18:53:28.819Z"}, "containers": {"cna": {"title": "Zulip: Anonymous File Access After Disabling Spectator Access", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w"}, {"name": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236"}, {"name": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae"}, {"name": "https://github.com/zulip/zulip/releases/tag/11.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/releases/tag/11.6"}], "affected": [{"vendor": "zulip", "product": "zulip", "versions": [{"version": "< 11.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T20:12:07.296Z"}, "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6."}], "source": {"advisory": "GHSA-f47p-xjqq-g28w", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:53:23.592418Z", "id": "CVE-2026-25742", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:53:28.819Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25742", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T18:53:23.592418Z"}}}], "references": [{"url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:53:18.317Z"}}], "cna": {"title": "Zulip: Anonymous File Access After Disabling Spectator Access", "source": {"advisory": "GHSA-f47p-xjqq-g28w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "zulip", "product": "zulip", "versions": [{"status": "affected", "version": "< 11.6"}]}], "references": [{"url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "name": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236", "name": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae", "name": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zulip/zulip/releases/tag/11.6", "name": "https://github.com/zulip/zulip/releases/tag/11.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T20:12:07.296Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25742", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:53:28.819Z", "dateReserved": "2026-02-05T16:48:00.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T20:12:07.296Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6."}], "id": "CVE-2026-25742", "lastModified": "2026-04-08T19:25:13.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T21:17:10.060", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236"}, {"source": "security-advisories@github.com", "url": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae"}, {"source": "security-advisories@github.com", "url": "https://github.com/zulip/zulip/releases/tag/11.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,11.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zulip", "source": "cna", "vendor": "zulip"}, "product": "zulip", "vendor": "zulip"}], "analysis": {"en": {"generated_at": "2026-04-03T22:51:05.278860+00:00", "value": {"mitigation_remediation": ["Upgrade Zulip to version\u202f11.6 or later.", "Verify that spectator access is truly disabled and that no web\u2011public streams remain available after the upgrade.", "If an upgrade is delayed, limit public\u2011stream visibility via configuration until the patch can be applied."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated Data Exposure"}, "threat_synthesis": {"affected_systems": "All deployments of Zulip from version\u202f1.4.0 up to, but not including, 11.6 are vulnerable, regardless of whether spectator access is currently enabled or disabled. The vulnerability is tied to the handling of attachments and topic lookup in those versions.", "description_and_impact": "Zulip versions earlier than 11.6 allow any unauthenticated user to download attachment files that originated on web\u2011public streams and to view topic history for those streams even after spectator access has been disabled, thereby exposing private data without proper authorization.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the lack of an EPSS score or KEV listing suggests it has not yet been actively exploited. Attackers can exploit the flaw remotely without credentials by accessing the /users/me/<stream_id>/topics endpoint or the attachment URLs, thereby reading confidential files and conversation history."}}}}, "created": "2026-04-06T21:22:53.789337+00:00", "updated": "2026-04-07T07:16:37.916237+00:00", "vendors": ["zulip", "zulip$PRODUCT$zulip"]}