CVE-2026-25741
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2Description
Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.
Analysis
Zulip's payment method update API endpoint in the upgrade flow lacks proper authorization checks, allowing any organization member to modify the default payment method by completing a Stripe Checkout session. This vulnerability affected Zulip Cloud users and has been patched; self-hosted deployments are not impacted and require no action.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all Zulip instances and verify current versions against the vulnerable commit; disable upgrade functionality if possible or restrict access to administrators only. Within 7 days: implement network-level access controls to limit card update session API endpoints to administrative users via reverse proxy or WAF rules; notify users to report suspicious upgrade activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today