Bechar Thakor

**Name of the Vulnerable Software and Affected Versions** Zulip Server versions prior to 10.1 **Description** The issue concerns the API for deleting an organization custom profile field in Zulip, an open-source team collaboration tool. The API handler failed to check if the field belongs to the same organization as the user, allowing an administrator of any organization to delete custom profile fields belonging to a different organization. **Recommendations** For versions prior to 10.1, update to Zulip Server 10.1 to resolve the issue. As a temporary workaround, consider restricting access to the API endpoint for deleting organization custom profile fields to prevent unauthorized deletion.