CVE-2025-31478

Name of the Vulnerable Software and Affected Versions Zulip versions prior to 10.2

Description A bug in the Zulip server allows account creation without authenticating with the configured Single Sign-On (SSO) authentication backend in organizations where account creation is limited solely by SSO authentication and email/password authentication is disabled. This issue can be exploited to create an account without having an account with the configured SSO authentication backend.

Recommendations For versions prior to 10.2, update to version 10.2 to resolve the issue. As a temporary workaround, consider requiring invitations to join the organization to prevent the vulnerability from being accessed.