CVE-2025-47930 MEDIUM

CVE-2025-47930: Zulip Server has access control bypass for restrictions on creation of specific channel types

Vendor Zulip

Product zulip

Weakness CWE-863 · Incorrect authorization

Published May 15, 2025

Last update May 16, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public channel, and then changing the channel privacy to public. A similar technique works for creating private channels without permission, though such a process requires either the API or modifying the HTML, as we do mark the "private" radio button as disabled in such cases. Version 10.3 contains a patch.

Key dates

02Disclosure timeline

May 15, 2025 CVE published

May 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-47930

Related vulnerabilities

CVE-2025-47930: Zulip Server has access control bypass for restrictions on creation of specific channel types

01Description

02Disclosure timeline

03References

04Related CVE