CVE-2024-21630 MEDIUM

CVE-2024-21630: Zulip non-admins can invite new users to streams they would not otherwise be able to add existing users to

Vendor Zulip
Product zulip
Weakness CWE-862 · Missing authorization
Published January 25, 2024
Last update May 29, 2025
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use invitations, not single-use invitation links as in the prior CVE. Specifically, it applies when the installation has configured non-admins to be able to invite users and create multi-use invitations, and has also configured only admins to be able to invite users to streams. As in CVE-2023-32677, this does not let users invite new users to arbitrary streams, only to streams that the inviter can already see. Version 8.1 fixes this issue. As a workaround, administrators can limit sending of invitations down to users who also have the permission to add users to streams.

Key dates

02Disclosure timeline

January 25, 2024 CVE published
May 29, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-39714 WordPress G5Plus April theme <= 6.8 - Broken Access Control vulnerability CVE-2026-33887 Statamic allows unauthorized content access through missing authorization in its revision controllers CVE-2026-39910 STACKIT IaaS API Privilege Escalation via Service Account Attachment CVE-2026-6703 Responsive Blocks <= 2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via AJAX Actions CVE-2025-31758 WordPress Free Woocommerce Product Table View plugin <= 1.78 - Arbitrary Content Deletion vulnerability