Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-25742
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-03 Apr, 2026 | 20:12
Updated At-08 Apr, 2026 | 18:53
Rejected At-
▼CVE Numbering Authority (CNA)
Zulip: Anonymous File Access After Disabling Spectator Access

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.

Affected Products
Vendor
Kandra Labs, Inc. (Zulip)zulip
Product
zulip
Versions
Affected
  • < 11.6
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w
x_refsource_CONFIRM
https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236
x_refsource_MISC
https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae
x_refsource_MISC
https://github.com/zulip/zulip/releases/tag/11.6
x_refsource_MISC
Hyperlink: https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236
Resource:
x_refsource_MISC
Hyperlink: https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae
Resource:
x_refsource_MISC
Hyperlink: https://github.com/zulip/zulip/releases/tag/11.6
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w
exploit
Hyperlink: https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w
Resource:
exploit
Details not found