CVE-2024-56136

Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and determine if an email address is in use by a user. Zulip Server 9.4 resolves the issue, as does the `main` branch of Zulip Server. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zulip/zulip/commit/c6334a765b1e6d71760e4a3b32ae5b8367f2ed4d	Patch
https://github.com/zulip/zulip/security/advisories/GHSA-5xg8-xhfj-4hm6	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zulip:zulip_server:*:*:*:*:*:*:*:*

History

27 Sep 2025, 00:16

Type	Values Removed	Values Added
CPE	cpe:2.3:a:zulip:zulip::::::::	cpe:2.3:a:zulip:zulip_server::::::::
First Time		Zulip zulip Server

27 Aug 2025, 02:19

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
References	~~() https://github.com/zulip/zulip/commit/c6334a765b1e6d71760e4a3b32ae5b8367f2ed4d -~~	() https://github.com/zulip/zulip/commit/c6334a765b1e6d71760e4a3b32ae5b8367f2ed4d - Patch
References	~~() https://github.com/zulip/zulip/security/advisories/GHSA-5xg8-xhfj-4hm6 -~~	() https://github.com/zulip/zulip/security/advisories/GHSA-5xg8-xhfj-4hm6 - Third Party Advisory
CPE		cpe:2.3:a:zulip:zulip::::::::
Summary		(es) El servidor Zulip ofrece un chat de equipo de código abierto que ayuda a los equipos a mantenerse productivos y concentrados. Zulip Server 7.0 y versiones posteriores son vulnerables a un ataque de divulgación de información, en el que, si un servidor Zulip aloja varias organizaciones, un usuario no autenticado puede realizar una solicitud y determinar si un usuario está utilizando una dirección de correo electrónico. Zulip Server 9.4 resuelve el problema, al igual que la rama "principal" de Zulip Server. Se recomienda a los usuarios que actualicen. No existen workarounds conocidos para este problema.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
First Time		Zulip zulip Zulip

16 Jan 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-16 20:15

Updated : 2025-09-27 00:16

NVD link : CVE-2024-56136

Mitre link : CVE-2024-56136

CVE.ORG link : CVE-2024-56136

JSON object : View

Products Affected

zulip

zulip_server

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

5.3 /10