CVE-2025-31478 Overview
CVE-2025-31478 is an authentication bypass vulnerability [CWE-287] in the Zulip open-source team collaboration server. The flaw allows unauthorized account creation in Zulip organizations (realms) that rely exclusively on a single sign-on (SSO) authentication backend without requiring invitations or email domain restrictions. When administrators disable the EmailAuthBackend and depend solely on SSO for identity verification, the server fails to enforce that requirement during signup. Attackers can create accounts without authenticating against the configured SSO backend, gaining access to organization content and channels.
Critical Impact
Remote unauthenticated attackers can bypass SSO requirements and create accounts in Zulip organizations that disabled email/password authentication, exposing internal communications and team data.
Affected Products
- Zulip Server versions prior to 10.2
- Zulip self-hosted deployments configured with SSO-only authentication
- Zulip organizations without invitation requirements or email domain restrictions
Discovery Timeline
- 2025-04-16 - CVE-2025-31478 published to NVD
- 2026-01-23 - Last updated in NVD database
Technical Details for CVE-2025-31478
Vulnerability Analysis
The vulnerability resides in the Zulip signup workflow, specifically in zerver/forms.py and zerver/views/registration.py. Zulip supports a configuration where account creation is gated only by successful authentication against an SSO backend such as SAML, LDAP, or OAuth providers. Administrators implement this by disabling EmailAuthBackend while leaving open enrollment enabled (no invitations required, no email domain allowlist).
The HomepageForm signup handler did not verify that a password-based authentication backend was enabled before allowing direct registration. As a result, the signup path bypassed the intended SSO requirement entirely. An unauthenticated network attacker can submit a registration request and create a fully functional account in the target realm without ever interacting with the configured SSO provider.
Root Cause
The root cause is missing authentication backend enforcement during the signup flow. The form did not import or check password_auth_enabled, so it accepted registrations even when no email/password backend was configured. This represents a logic flaw where the security model assumed SSO would be reached, but no code path enforced it.
Attack Vector
Exploitation requires network access to the Zulip web interface and a target realm configured with SSO-only authentication, open enrollment, and no invitation requirement. The attacker submits a standard registration request to the signup endpoint. The server processes the registration without redirecting to or validating the SSO backend, creating an account directly.
# Patch in zerver/forms.py - adds password_auth_enabled import
get_realm,
)
from zerver.models.users import get_user_by_delivery_email, is_cross_realm_bot_email
-from zproject.backends import check_password_strength, email_auth_enabled, email_belongs_to_ldap
+from zproject.backends import (
+ check_password_strength,
+ email_auth_enabled,
+ email_belongs_to_ldap,
+ password_auth_enabled,
+)
# Patch in zerver/views/registration.py - enforces password backend check
form = HomepageForm(
request.POST,
realm=realm,
+ require_password_backend=True,
from_multiuse_invite=from_multiuse_invite,
invited_as=invited_as,
)
Source: Zulip Security Patch Commit b5ab90a
Detection Methods for CVE-2025-31478
Indicators of Compromise
- New user accounts created in SSO-only realms without corresponding SSO provider authentication logs
- Account registrations originating from IP addresses that have no matching session at the configured identity provider
- Unexpected UserProfile entries in the Zulip database for realms configured with AUTHENTICATION_BACKENDS excluding EmailAuthBackend
Detection Strategies
- Cross-reference Zulip signup events with SSO provider authentication logs to identify accounts created without a matching SSO session
- Audit the zerver_userprofile table for accounts created prior to upgrade in realms where EmailAuthBackend is disabled
- Monitor Zulip server access logs for POST requests to /accounts/register/ and /accounts/home/ in SSO-only deployments
Monitoring Recommendations
- Enable detailed audit logging for account creation events and forward them to a centralized log platform
- Alert on registration completions in realms configured with invite_required=False and SSO-only backends
- Periodically review the realm RealmAuditLog for RealmAuditLog.USER_CREATED events with unusual provenance
How to Mitigate CVE-2025-31478
Immediate Actions Required
- Upgrade Zulip Server to version 10.2 or later, which contains the require_password_backend=True enforcement
- Audit existing accounts in affected realms and disable any that cannot be tied to a legitimate SSO authentication event
- Review realm configuration to confirm authentication backend settings match organizational intent
Patch Information
The issue is fixed in Zulip Server 10.2. The patch adds the password_auth_enabled import and passes require_password_backend=True to HomepageForm, which blocks signup attempts when no password backend is enabled. Details are available in the Zulip GitHub Security Advisory GHSA-qxfv-j6vg-5rqc.
Workarounds
- Require invitations to join the organization by setting invite_required=True, which prevents the vulnerable signup path from being reached
- Restrict account creation to specific email domains using realm allowlists until the upgrade is applied
- Temporarily re-enable EmailAuthBackend with strong password policies if invitation enforcement is not feasible
# Enforce invitation-only signup as a workaround (Zulip management shell)
/home/zulip/deployments/current/manage.py shell
>>> from zerver.models import Realm
>>> realm = Realm.objects.get(string_id="your-realm")
>>> realm.invite_required = True
>>> realm.save(update_fields=["invite_required"])
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

