CVE-2026-25741

Published: Feb 26, 2026

Modified: Mar 3, 2026

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.

Vendor	Product	Versions
zulip	zulip	affected `< bf28c82dc9b1f630fa8e9106358771b20a0040f7`

Weaknesses (CWE)

CWE-863

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

References

https://github.com/zulip/zulip/security/advisories/GHSA-vhhx-84f7-rc8j

x_refsource_CONFIRM

https://github.com/zulip/zulip/commit/bf28c82dc9b1f630fa8e9106358771b20a0040f7

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-25741

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References