{"id":"CVE-2026-25742","summary":"Zulip: Anonymous File Access After Disabling Spectator Access","details":"Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/\u003cstream_id\u003e/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.","aliases":["GHSA-f47p-xjqq-g28w"],"modified":"2026-07-08T08:04:57.381691558Z","published":"2026-04-03T20:12:07.296Z","database_specific":{"cwe_ids":["CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25742.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/zulip/zulip/releases/tag/11.6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25742.json"},{"type":"ADVISORY","url":"https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25742"},{"type":"FIX","url":"https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236"},{"type":"FIX","url":"https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zulip/zulip","events":[{"introduced":"7e4caf3a67a6542714760e4e93f192494905aa05"},{"fixed":"4c2ab731279918d570602c79965cb8c6e2c3c4fc"},{"fixed":"3c045414299680b9f5dca7d76cf6cef6121c0236"},{"fixed":"41e23347b5218b3b0397a55176c7d97396735bae"}],"database_specific":{"cpe":"cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.4.0"},{"fixed":"11.6"}],"source":["CPE_RANGE","REFERENCES"]}},{"type":"GIT","repo":"https://github.com/zulip/zulip-mobile","events":[{"introduced":"0"},{"fixed":"5d7794078d159157860b76c93f1550be9418731d"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.4.0"},{"fixed":"11.6"}]}}],"versions":["11.5","11.4","11.3","11.2","11.1","11.0","11.0-beta2","11.0-beta1","11.0-dev","10.0","10.0-beta2","10.0-beta1","9.0","9.0-beta1","8.0","9.0-dev","8.0-beta2","8.0-beta1","8.0-dev","7.0","7.0-beta3","shared-0.0.18","shared-0.0.17","7.0-dev","6.0","shared-0.0.16","shared-0.0.15","shared-0.0.14","shared-0.0.13","shared-0.0.12","shared-0.0.11","shared-0.0.10","6.0-dev","5.0","shared-0.0.9","shared-0.0.8","shared-0.0.7","shared-0.0.6","4.0","5.0-dev","shared-0.0.5","shared-0.0.4","shared-0.0.3","4.0-dev","3.0","3.0-rc2","3.0-rc1","3.0-dev","2.2-dev","2.1.0","2.1.0-rc1","shared-0.0.2","shared-0.0.1","2.0.0","2.1-dev","2.0.0-rc1","1.9.0","1.9.0-rc3","1.9.0-rc2","1.8.0","1.8.0-rc1","1.7.0","1.6.0","1.5.0","1.4.0","11.5.76","11.4.75","11.3.74","11.1.73","10.1.70","9.1.67","8.3.64","8.2.63","8.1.62","7.3.57","7.1.55","7.0.54","6.6.53","5.0.46","3.3.43","3.2.42","3.1.41","3.0.40","2.7.39","2.3.35","2.1.33","1.0.29","1.0.27","1.0.26","1.0.25","1.0.24","1.0.22","1.0.21","1.0.20","1.0.19","1.0.18","1.0.17","1.0.16","1.0.15","1.0.14","1.0.13","1.0.12","1.0.11","0.7.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25742.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}