Nixpkgs security tracker
5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
Zulip: Anonymous File Access After Disabling Spectator Access
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.
References
-
https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w x_refsource_CONFIRM
-
https://github.com/zulip/zulip/releases/tag/11.6 x_refsource_MISC
Affected products
- ==< 11.6
Matching in nixpkgs
pkgs.zulip
Desktop client for Zulip Chat
pkgs.zulip-term
Zulip's official terminal client
-
nixos-unstable 0.7.0-unstable-2026-02-10
- nixpkgs-unstable 0.7.0-unstable-2026-02-10
- nixos-unstable-small 0.7.0-unstable-2026-02-10
-
nixos-25.11 0.7.0-unstable-2025-05-19
- nixos-25.11-small 0.7.0-unstable-2025-05-19
- nixpkgs-25.11-darwin 0.7.0-unstable-2025-05-19
pkgs.matrix-zulip-bridge
Matrix puppeting appservice bridge for Zulip
pkgs.python312Packages.zulip
Bindings for the Zulip message API
pkgs.python313Packages.zulip
Bindings for the Zulip message API
pkgs.python314Packages.zulip
Bindings for the Zulip message API
pkgs.python312Packages.zulip-emoji-mapping
Get emojis by Zulip names
pkgs.python313Packages.zulip-emoji-mapping
Get emojis by Zulip names
pkgs.python314Packages.zulip-emoji-mapping
Get emojis by Zulip names
Package maintainers
-
@judgeNotFound Robert Richter <robert.richter@rrcomtech.com>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@andersk Anders Kaseorg <andersk@mit.edu>