Description

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.

INFO

Published Date :

2026-04-03T20:12:07.296Z

Last Modified :

2026-04-08T18:53:28.819Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25742 vulnerability.

Vendors Products
Zulip
  • Zulip
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25742.

URL Resource
https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236 cve-icon cve-icon
https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae cve-icon cve-icon
https://github.com/zulip/zulip/releases/tag/11.6 cve-icon cve-icon
https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact