CVE-2026-25741

Name of the Vulnerable Software and Affected Versions Zulip versions prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7

Description Zulip is a team collaboration tool. A flaw existed in the API endpoint used for creating a card update session during an upgrade process, allowing users with organization member privileges to access it. Upon completion of the associated Stripe Checkout session, the Stripe webhook would update the organization’s default payment method. A lack of billing-specific authorization checks allowed regular organization members to modify the organization’s payment method. This impacted the Zulip Cloud payment processing system. The issue was addressed with commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. The API endpoint involved is '/api/card update session'. The vulnerable operation involves updating the organization’s default payment method via a Stripe webhook.

Recommendations For Zulip Cloud deployments, upgrade to a version with commit bf28c82dc9b1f630fa8e9106358771b20a0040f7 or later. Self-hosted deployments are no longer affected and do not require any action.