Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25741

CVE-2026-25741: Zulip Authentication Bypass Vulnerability

CVE-2026-25741 is an authentication bypass flaw in Zulip that allows organization members to modify payment methods without proper authorization. This article covers technical details, affected systems, and remediation.

Published:

CVE-2026-25741 Overview

CVE-2026-25741 is an authorization bypass vulnerability in Zulip, an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization's default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization's payment method.

Critical Impact

Unauthorized organization members can modify billing payment methods, potentially redirecting payments or disrupting the organization's financial configuration without proper billing administrator privileges.

Affected Products

  • Zulip Cloud (prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7)
  • Note: Self-hosted Zulip deployments are not affected

Discovery Timeline

  • 2026-02-26 - CVE CVE-2026-25741 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-25741

Vulnerability Analysis

This vulnerability stems from improper access control (CWE-863) in Zulip's billing system. The API endpoint responsible for creating card update sessions during the upgrade flow lacked appropriate billing-specific authorization checks. While the endpoint required organization member authentication, it failed to verify whether the authenticated user had billing administrator privileges.

The attack flow involves a low-privileged organization member accessing the card update session API endpoint, initiating a Stripe Checkout session, and completing it with their own payment information. When Stripe processes the checkout completion webhook, Zulip's backend updates the organization's default payment method without verifying that the original request came from a user with billing access rights.

Root Cause

The root cause is insufficient authorization enforcement on the payment method update API endpoint. The decorator require_organization_member was used instead of require_billing_access, allowing any authenticated organization member to trigger payment method changes. This violates the principle of least privilege by granting billing capabilities to non-billing users.

Attack Vector

The vulnerability is exploitable over the network by any authenticated user with basic organization membership. An attacker within an organization could:

  1. Access the card update session API endpoint as a regular organization member
  2. Initiate a Stripe Checkout session for payment method modification
  3. Complete the checkout flow with attacker-controlled payment details
  4. The Stripe webhook automatically updates the organization's payment method
python
# Security patch in corporate/views/session.py
# Before: Used require_organization_member decorator allowing any member access
# After: Changed to require_billing_access for proper authorization

     authenticated_remote_realm_management_endpoint,
     authenticated_remote_server_management_endpoint,
 )
-from zerver.decorator import require_billing_access, require_organization_member
+from zerver.decorator import require_billing_access
 from zerver.lib.response import json_success
 from zerver.lib.typed_endpoint import typed_endpoint
 from zerver.models import UserProfile

Source: GitHub Commit Update

Detection Methods for CVE-2026-25741

Indicators of Compromise

  • Unexpected payment method changes in your Zulip Cloud organization billing settings
  • API calls to card update session endpoints from non-billing administrator accounts
  • Stripe webhook events for payment method updates initiated by unexpected users
  • Audit logs showing billing-related API access by regular organization members

Detection Strategies

  • Review Zulip organization audit logs for payment method modification events
  • Monitor Stripe dashboard for unauthorized checkout session completions
  • Implement alerting on billing API endpoint access patterns from non-admin accounts
  • Cross-reference payment method changes with authorized billing administrator activity

Monitoring Recommendations

  • Enable detailed logging for all billing-related API endpoints
  • Configure alerts for payment method changes in your Stripe dashboard
  • Periodically audit organization billing settings and payment method history
  • Review user privilege assignments to ensure proper billing access controls

How to Mitigate CVE-2026-25741

Immediate Actions Required

  • Verify your Zulip Cloud organization's current payment method is correct
  • Review billing activity history for any unauthorized changes
  • Audit which users have organization member access and evaluate if billing access restrictions are properly applied
  • Contact Zulip support if you suspect unauthorized payment method modifications

Patch Information

This vulnerability has been patched in Zulip Cloud as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. The fix replaces the require_organization_member decorator with require_billing_access to enforce proper authorization checks on the payment method update API endpoint. Self-hosted Zulip deployments are not affected by this vulnerability and do not require any patch or upgrade.

For additional details, see the GitHub Security Advisory and the security patch commit.

Workarounds

  • For Zulip Cloud users: No workaround is necessary as the patch has already been deployed
  • Regularly audit your organization's billing settings and payment methods
  • Limit organization membership to trusted individuals when possible
  • Enable Stripe notifications to be alerted of any payment method changes
bash
# No configuration changes required for self-hosted deployments
# Self-hosted Zulip installations are not affected by this vulnerability
# Zulip Cloud has been automatically patched

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.