CVE-2026-25742

Source
https://cve.org/CVERecord?id=CVE-2026-25742
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25742.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25742
Aliases
  • GHSA-f47p-xjqq-g28w
Published
2026-04-03T20:12:07.296Z
Modified
2026-07-08T08:04:57.381691558Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Zulip: Anonymous File Access After Disabling Spectator Access
Details

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enablespectatoraccess / WEBPUBLICSTREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25742.json"
}
References

Affected packages

Git / github.com/zulip/zulip

Affected ranges

Type
GIT
Repo
https://github.com/zulip/zulip
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.4.0"
        },
        {
            "fixed": "11.6"
        }
    ],
    "cpe": "cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}
Type
GIT
Repo
https://github.com/zulip/zulip-mobile
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.4.0"
        },
        {
            "fixed": "11.6"
        }
    ],
    "cpe": "cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Affected versions

0.*
0.7.1
1.*
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.24
1.0.25
1.0.26
1.0.27
1.0.29
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.8.0-rc1
1.9.0
1.9.0-rc2
1.9.0-rc3
10.*
10.0
10.0-beta1
10.0-beta2
10.1.70
11.*
11.0
11.0-beta1
11.0-beta2
11.0-dev
11.1
11.1.73
11.2
11.3
11.3.74
11.4
11.4.75
11.5
11.5.76
2.*
2.0.0
2.0.0-rc1
2.1-dev
2.1.0
2.1.0-rc1
2.1.33
2.2-dev
2.3.35
2.7.39
3.*
3.0
3.0-dev
3.0-rc1
3.0-rc2
3.0.40
3.1.41
3.2.42
3.3.43
4.*
4.0
4.0-dev
5.*
5.0
5.0-dev
5.0.46
6.*
6.0
6.0-dev
6.6.53
7.*
7.0
7.0-beta3
7.0-dev
7.0.54
7.1.55
7.3.57
8.*
8.0
8.0-beta1
8.0-beta2
8.0-dev
8.1.62
8.2.63
8.3.64
9.*
9.0
9.0-beta1
9.0-dev
9.1.67
shared-0.*
shared-0.0.1
shared-0.0.10
shared-0.0.11
shared-0.0.12
shared-0.0.13
shared-0.0.14
shared-0.0.15
shared-0.0.16
shared-0.0.17
shared-0.0.18
shared-0.0.2
shared-0.0.3
shared-0.0.4
shared-0.0.5
shared-0.0.6
shared-0.0.7
shared-0.0.8
shared-0.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25742.json"