Path Traversal Vulnerability in Zulip Collaboration Tool
CVE-2026-26058

6.1MEDIUM

Key Information:

Vendor: Zulip
Status: Zulip
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-26058?

Zulip, an open-source collaboration tool, is vulnerable to a path traversal issue that affects versions 1.4.0 through 11.5. This vulnerability allows an attacker to read arbitrary files from the server's filesystem. By crafting a malicious export tarball, an attacker can exploit the ./manage.py import function, leading to unauthorized read access to files that the zulip user has permissions for. The flaw has been patched in version 11.6, and users are advised to upgrade to mitigate risks associated with this vulnerability.

Affected Version(s)

zulip >= 1.4.0, < 11.6

References

https://github.com/zulip/zulip/security/advisories/GHSA-x...

x_refsource_CONFIRM

https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Feb 10, 2026

CVE-2026-26058 Data

JSON