CVE-2026-25741
Published: 26 February 2026
Summary
CVE-2026-25741 is a high-severity Incorrect Authorization (CWE-863) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-5 (Separation of Duties).
Deeper analysis
CVE-2026-25741 is an authorization bypass vulnerability (CWE-863) in Zulip, an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during the upgrade flow lacked billing-specific authorization checks and was accessible to users with only organization member privileges. This issue affected the Zulip Cloud payment processing system, enabling unauthorized updates via integration with Stripe Checkout sessions and webhooks.
A remote attacker with low privileges, specifically a regular organization member without billing administrator rights, can exploit this vulnerability over the network with low complexity and no user interaction required. By accessing the vulnerable endpoint, the attacker initiates a Stripe Checkout session, completes payment using their own card details, and triggers the Stripe webhook to overwrite the organization's default payment method, resulting in high integrity impact and low availability impact (CVSS v3.1 score of 7.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).
Zulip has patched the vulnerability as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deployments are unaffected and require no upgrade or patch. Additional details are available in the Zulip security advisory at GHSA-vhhx-84f7-rc8j and the patch commit.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8893
Vulnerability details
Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is…
more
completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass on public API endpoint enables low-priv cloud user to perform unauthorized billing actions (payment method overwrite via Stripe), directly mapping to remote exploitation of a public-facing application for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the missing billing-specific authorization check on the card-update API endpoint that allowed non-billing members to alter payment methods.
Requires that organization members receive only the minimum privileges needed, preventing regular members from reaching billing functions such as Stripe payment-method updates.
Mandates separation between ordinary member duties and billing-administration duties so that payment-method changes cannot be performed by non-billing roles.