CVE-2024-27286

Name of the Vulnerable Software and Affected Versions Zulip versions 3.0 through 8.2

Description The issue arises when a user moves a Zulip message from a public stream to a private stream, and chooses to move just that single message. In such cases, active users without access to the private stream, but whose client had already received the message, would continue to see the message in the public stream until they reloaded their client. Furthermore, Zulip did not remove view permissions on the message from recently-active users, allowing the message to show up in the "All messages" view or in search results. This bug has been present since version 3.0, but became more common starting in Zulip 8.0.

Recommendations For Zulip versions 3.0 through 8.2, upgrade to Zulip Server 8.3 to resolve the issue. As a temporary workaround, consider reloading the client to ensure the message is no longer visible in the public stream. Restrict access to moved messages to minimize the risk of information disclosure until the issue is resolved.