Cyber Resilience

CVE-2026-25741

High

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0002 4.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25741 is a high-severity Incorrect Authorization (CWE-863) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-5 (Separation of Duties).

Deeper analysis

CVE-2026-25741 is an authorization bypass vulnerability (CWE-863) in Zulip, an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during the upgrade flow lacked billing-specific authorization checks and was accessible to users with only organization member privileges. This issue affected the Zulip Cloud payment processing system, enabling unauthorized updates via integration with Stripe Checkout sessions and webhooks.

A remote attacker with low privileges, specifically a regular organization member without billing administrator rights, can exploit this vulnerability over the network with low complexity and no user interaction required. By accessing the vulnerable endpoint, the attacker initiates a Stripe Checkout session, completes payment using their own card details, and triggers the Stripe webhook to overwrite the organization's default payment method, resulting in high integrity impact and low availability impact (CVSS v3.1 score of 7.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

Zulip has patched the vulnerability as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deployments are unaffected and require no upgrade or patch. Additional details are available in the Zulip security advisory at GHSA-vhhx-84f7-rc8j and the patch commit.

EU & UK References

Vulnerability details

Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe Checkout session is…

more

completed, the Stripe webhook updates the organization’s default payment method. Because no billing-specific authorization check is enforced, a regular (non-billing) member can change the organization’s payment method. This vulnerability affected the Zulip Cloud payment processing system, and has been patched as of commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deploys are no longer affected and no patch or upgrade is required for them.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass on public API endpoint enables low-priv cloud user to perform unauthorized billing actions (payment method overwrite via Stripe), directly mapping to remote exploitation of a public-facing application for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44110Shared CWE-863
CVE-2026-24851Shared CWE-863
CVE-2026-22230Shared CWE-863
CVE-2026-32005Shared CWE-863
CVE-2026-28392Shared CWE-863
CVE-2025-30751Shared CWE-863
CVE-2026-41191Shared CWE-863
CVE-2026-32726Shared CWE-863
CVE-2026-25859Shared CWE-863
CVE-2026-44221Shared CWE-863

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the missing billing-specific authorization check on the card-update API endpoint that allowed non-billing members to alter payment methods.

prevent

Requires that organization members receive only the minimum privileges needed, preventing regular members from reaching billing functions such as Stripe payment-method updates.

prevent

Mandates separation between ordinary member duties and billing-administration duties so that payment-method changes cannot be performed by non-billing roles.

References