Skip to main content

Zulip Server CVE-2024-56136

MEDIUM
Information Exposure (CWE-200)
2025-01-16 security-advisories@github.com
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:04 vuln.today
Patch released
Mar 28, 2026 - 18:04 nvd
Patch available
CVE Published
Jan 16, 2025 - 20:15 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and determine if an email address is in use by a user. Zulip Server 9.4 resolves the issue, as does the main branch of Zulip Server. Users are advised to upgrade. There are no known workarounds for this issue.

AnalysisAI

Zulip server provides an open-source team chat that helps teams stay productive and focused. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and determine if an email address is in use by a user. Zulip Server 9.4 resolves the issue, as does the main branch of Zulip Server. Users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Zulip Zulip Server.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2022-21706 CRITICAL
9.8 Feb 26

Zulip is an open-source team collaboration tool with topic-based threading. Rated critical severity (CVSS 9.8), this vul

CVE-2019-18933 CRITICAL
9.8 Nov 21

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registere

CVE-2020-10935 MEDIUM POC
5.4 Apr 20

Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. Rated medium severity (CVSS 5

CVE-2017-0910 HIGH
8.8 Nov 27

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authori

CVE-2020-15070 HIGH
8.8 Aug 21

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres

CVE-2025-31478 HIGH
8.2 Apr 16

Zulip is an open-source team collaboration tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploita

CVE-2024-36612 HIGH
7.5 Nov 29

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers. Rated high severity (CVSS 7.5),

CVE-2020-14215 HIGH
7.5 Aug 21

Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrato

CVE-2025-52559 MEDIUM
6.8 Jul 02

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL

CVE-2017-0896 MEDIUM
6.5 Jun 02

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zuli

CVE-2024-27286 MEDIUM
6.5 Mar 20

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2023-32678 MEDIUM
6.5 Aug 25

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium se

Share

CVE-2024-56136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy