CVE-2026-25741 in Zulip
Summary
by MITRE • 02/27/2026
Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
This vulnerability resides within the Zulip team collaboration platform's payment processing infrastructure, specifically targeting the authorization controls governing billing operations. The flaw emerged from insufficient access control validation within the API endpoint responsible for managing card update sessions during organizational upgrades. Prior to the remediation commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the system permitted any organization member to initiate payment method updates through the upgrade flow, bypassing the necessary billing-specific authorization requirements. This represents a critical authorization bypass vulnerability that directly violates the principle of least privilege and proper access control enforcement.
The technical implementation of this vulnerability stems from the absence of proper authorization checks when processing Stripe webhook notifications that update organization payment methods. When users with standard membership privileges complete the Stripe Checkout session, the system automatically updates the organization's default payment method without verifying whether the initiating user possesses billing administrator privileges. This flaw creates a direct pathway for unauthorized payment method changes, as the system fails to validate that the requesting user has elevated billing permissions before executing payment method modifications. The vulnerability specifically affects the upgrade flow functionality, where the card update session endpoint was improperly exposed to users lacking billing authorization.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential financial fraud and organizational security breaches. A regular organization member could maliciously or accidentally change the organization's payment method, potentially redirecting all future billing to an attacker-controlled payment instrument. This creates a significant risk for organizations relying on Zulip Cloud services, as the financial implications could be substantial and the audit trail would be difficult to trace back to the unauthorized change. The vulnerability essentially allows privilege escalation from standard member to billing administrator level through the payment processing workflow, violating fundamental security principles of role-based access control.
The remediation implemented in commit bf28c82dc9b1f630fa8e9106358771b20a0040f7 addresses this issue by enforcing proper billing-specific authorization checks within the card update session endpoint. This aligns with CWE-284 which addresses improper access control vulnerabilities, and follows ATT&CK technique T1078 for valid accounts and T1531 for credential access. Organizations should consider implementing additional monitoring for payment method changes, as this vulnerability demonstrates how seemingly innocuous API endpoints can create significant security risks when proper authorization controls are absent. The fix ensures that only users with appropriate billing privileges can initiate payment method updates, restoring proper segregation of duties within the payment processing workflow. This vulnerability serves as a reminder of the critical importance of implementing robust authorization controls, particularly for financial operations, and the potential consequences when such controls are missing from core system functionality.