CVE-2026-25741 Overview
CVE-2026-25741 is an authorization bypass vulnerability in Zulip, an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization's default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization's payment method.
Critical Impact
Unauthorized organization members can modify billing payment methods, potentially redirecting payments or disrupting the organization's financial configuration without proper billing administrator privileges.
Affected Products
- Zulip Cloud (prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7)
- Note: Self-hosted Zulip deployments are not affected
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-25741 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-25741
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-863) in Zulip's billing system. The API endpoint responsible for creating card update sessions during the upgrade flow lacked appropriate billing-specific authorization checks. While the endpoint required organization member authentication, it failed to verify whether the authenticated user had billing administrator privileges.
The attack flow involves a low-privileged organization member accessing the card update session API endpoint, initiating a Stripe Checkout session, and completing it with their own payment information. When Stripe processes the checkout completion webhook, Zulip's backend updates the organization's default payment method without verifying that the original request came from a user with billing access rights.
Root Cause
The root cause is insufficient authorization enforcement on the payment method update API endpoint. The decorator require_organization_member was used instead of require_billing_access, allowing any authenticated organization member to trigger payment method changes. This violates the principle of least privilege by granting billing capabilities to non-billing users.
Attack Vector
The vulnerability is exploitable over the network by any authenticated user with basic organization membership. An attacker within an organization could:
- Access the card update session API endpoint as a regular organization member
- Initiate a Stripe Checkout session for payment method modification
- Complete the checkout flow with attacker-controlled payment details
- The Stripe webhook automatically updates the organization's payment method
# Security patch in corporate/views/session.py
# Before: Used require_organization_member decorator allowing any member access
# After: Changed to require_billing_access for proper authorization
authenticated_remote_realm_management_endpoint,
authenticated_remote_server_management_endpoint,
)
-from zerver.decorator import require_billing_access, require_organization_member
+from zerver.decorator import require_billing_access
from zerver.lib.response import json_success
from zerver.lib.typed_endpoint import typed_endpoint
from zerver.models import UserProfile
Source: GitHub Commit Update
Detection Methods for CVE-2026-25741
Indicators of Compromise
- Unexpected payment method changes in your Zulip Cloud organization billing settings
- API calls to card update session endpoints from non-billing administrator accounts
- Stripe webhook events for payment method updates initiated by unexpected users
- Audit logs showing billing-related API access by regular organization members
Detection Strategies
- Review Zulip organization audit logs for payment method modification events
- Monitor Stripe dashboard for unauthorized checkout session completions
- Implement alerting on billing API endpoint access patterns from non-admin accounts
- Cross-reference payment method changes with authorized billing administrator activity
Monitoring Recommendations
- Enable detailed logging for all billing-related API endpoints
- Configure alerts for payment method changes in your Stripe dashboard
- Periodically audit organization billing settings and payment method history
- Review user privilege assignments to ensure proper billing access controls
How to Mitigate CVE-2026-25741
Immediate Actions Required
- Verify your Zulip Cloud organization's current payment method is correct
- Review billing activity history for any unauthorized changes
- Audit which users have organization member access and evaluate if billing access restrictions are properly applied
- Contact Zulip support if you suspect unauthorized payment method modifications
Patch Information
This vulnerability has been patched in Zulip Cloud as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. The fix replaces the require_organization_member decorator with require_billing_access to enforce proper authorization checks on the payment method update API endpoint. Self-hosted Zulip deployments are not affected by this vulnerability and do not require any patch or upgrade.
For additional details, see the GitHub Security Advisory and the security patch commit.
Workarounds
- For Zulip Cloud users: No workaround is necessary as the patch has already been deployed
- Regularly audit your organization's billing settings and payment methods
- Limit organization membership to trusted individuals when possible
- Enable Stripe notifications to be alerted of any payment method changes
# No configuration changes required for self-hosted deployments
# Self-hosted Zulip installations are not affected by this vulnerability
# Zulip Cloud has been automatically patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
