Information Disclosure in Zulip Before Version 12.0
CVE-2026-40300

6MEDIUM

Key Information:

Vendor: Zulip
Status: Zulip
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-40300?

Zulip, a popular open-source team collaboration platform, contains a vulnerability that affects versions prior to 12.0. When configured with the message_edit_history_visibility_policy set to 'moves', the API endpoint /api/v1/messages/{id}/history can unintentionally expose historical message content. This flaw permits low-privilege users to recover text that has been edited out of messages by other users, undermining message privacy and potentially revealing sensitive information. The issue has been addressed in version 12.0.

Affected Version(s)

zulip < 12.0

References

https://github.com/zulip/zulip/security/advisories/GHSA-j...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40300 Data

JSON