Skip to main content

Zulip CVE-2025-30368

LOW
Authorization Bypass Through User-Controlled SQL Primary Key (CWE-566)
2025-03-31 security-advisories@github.com
2.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:34 vuln.today
Patch released
Mar 28, 2026 - 18:34 nvd
Patch available
CVE Published
Mar 31, 2025 - 17:15 nvd
LOW 2.7

DescriptionGitHub Advisory

Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete an export of a different organization. This is fixed in Zulip Server 10.1.

AnalysisAI

Zulip is an open-source team collaboration tool. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-566. Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete an export of a different organization. This is fixed in Zulip Server 10.1. Affected products include: Zulip.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Zulip

View all
CVE-2021-41115 MEDIUM POC
6.5 Oct 07

Zulip is an open source team chat server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,

CVE-2022-31168 HIGH
8.8 Jul 22

Zulip is an open source team chat tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2019-10476 HIGH
7.8 Oct 23

Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins ma

CVE-2022-24751 HIGH
7.4 Mar 16

Zulip is an open source group chat application. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitab

CVE-2026-26058 MEDIUM
6.1 Apr 03

Path traversal in Zulip's ./manage.py import function allows local attackers to read arbitrary files from the server fil

CVE-2026-40300 MEDIUM
6.0 May 12

Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "move

CVE-2022-35962 MEDIUM
5.7 Aug 29

Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. Rated medium severity (CVSS 5.7)

CVE-2024-36624 MEDIUM
5.4 Nov 29

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js. Rated me

CVE-2024-36625 MEDIUM
5.4 Nov 29

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts. Rated medi

CVE-2026-25742 MEDIUM
5.3 Apr 03

Zulip versions 1.4.0 through 11.5 allow unauthenticated retrieval of attachments and topic history from web-public strea

CVE-2021-43791 MEDIUM
5.3 Dec 02

Zulip is an open source group chat application that combines real-time chat with threaded conversations. Rated medium se

CVE-2022-36048 MEDIUM
4.3 Aug 31

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium se

Share

CVE-2025-30368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy