CVE-2025-30368

LOW

Zulip Server <10.1 - Privilege Escalation

Title source: llm
STIX 2.1

Description

Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete an export of a different organization. This is fixed in Zulip Server 10.1.

Scores

CVSS v3 2.7
EPSS 0.0032
EPSS Percentile 24.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-566
Status published
Products (1)
zulip/zulip 10.0
Published Mar 31, 2025
Tracked Since Feb 18, 2026