Skip to main content

Zulip CVE-2026-26058

| EUVDEUVD-2026-18838 MEDIUM
Path Traversal (CWE-22)
2026-04-03 security-advisories@github.com
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
11.6
EUVD ID Assigned
Apr 03, 2026 - 21:22 euvd
EUVD-2026-18838
Analysis Generated
Apr 03, 2026 - 21:22 vuln.today
CVE Published
Apr 03, 2026 - 21:17 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.

AnalysisAI

Path traversal in Zulip's ./manage.py import function allows local attackers to read arbitrary files from the server filesystem and copy them into the uploads directory via a crafted export tarball containing specially crafted paths in uploads/records.json. Zulip versions 1.4.0 through 11.5 are affected; the vulnerability requires local access and user interaction (import initiation) but can expose sensitive server data readable by the Zulip application user. No active exploitation has been confirmed; a vendor-released patch is available in version 11.6.

Technical ContextAI

The vulnerability exploits improper path validation in Zulip's import mechanism, which processes tarball exports containing a records.json file that references file paths. The underlying issue is a classic path traversal flaw (CWE-22) where insufficient sanitization of file paths allows directory traversal sequences (e.g., ../) to escape the intended uploads directory sandbox. When an administrator or authorized user imports a malicious tarball during server migration or restoration, the import process resolves these traversal paths against the actual filesystem, enabling arbitrary file read access. The flaw exists in the Python-based Django management command that handles import logic, affecting all installations from 1.4.0 onward until patching.

RemediationAI

Vendor-released patch: Zulip version 11.6 and later. Upgrade immediately to Zulip 11.6 or the latest available release via the standard Zulip upgrade procedure. If immediate upgrade is not feasible, restrict access to the ./manage.py import command and the tarball import UI to highly trusted administrators only; validate that export tarballs are generated from trusted, authenticated Zulip instances and have not been modified in transit. Refer to the official security advisory at https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956 for complete patching instructions and verification steps.

More in Zulip

View all
CVE-2021-41115 MEDIUM POC
6.5 Oct 07

Zulip is an open source team chat server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,

CVE-2022-31168 HIGH
8.8 Jul 22

Zulip is an open source team chat tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2019-10476 HIGH
7.8 Oct 23

Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins ma

CVE-2022-24751 HIGH
7.4 Mar 16

Zulip is an open source group chat application. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitab

CVE-2026-40300 MEDIUM
6.0 May 12

Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "move

CVE-2022-35962 MEDIUM
5.7 Aug 29

Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. Rated medium severity (CVSS 5.7)

CVE-2024-36624 MEDIUM
5.4 Nov 29

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js. Rated me

CVE-2024-36625 MEDIUM
5.4 Nov 29

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts. Rated medi

CVE-2026-25742 MEDIUM
5.3 Apr 03

Zulip versions 1.4.0 through 11.5 allow unauthenticated retrieval of attachments and topic history from web-public strea

CVE-2021-43791 MEDIUM
5.3 Dec 02

Zulip is an open source group chat application that combines real-time chat with threaded conversations. Rated medium se

CVE-2022-36048 MEDIUM
4.3 Aug 31

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium se

CVE-2023-28623 LOW
3.7 May 19

Zulip is an open-source team collaboration tool with unique topic-based threading. Rated low severity (CVSS 3.7), this v

Share

CVE-2026-26058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy