Zulip Web-Public Stream Access Vulnerability After Disabling Spectator Access

A vulnerability in Zulip allows anonymous access to attachments and topic history in web-public streams, even after spectator access is disabled. This issue affects Zulip versions 1.4.0 prior to 11.6. The vulnerability arises because the 'user_uploads' endpoints permit anonymous access, and the final authorization check for attachments does not consider the realm's web-public stream settings. As a result, file contents and topic histories remain accessible, undermining the intended privacy controls.

Impact

Exploitation of this vulnerability leads to unauthorized access to attachment files and topic histories in web-public streams, creating an operational risk by failing to effectively revoke public access after disabling spectator access.

Reproduction

To reproduce this vulnerability, first obtain an administrator API key and temporarily enable spectator access. Create a web-public stream and upload an attachment. Post a message containing the attachment URL, then disable spectator access. Access the attachment URL without authentication; the request should be blocked but instead returns HTTP 200 OK, indicating the vulnerability.

Remediation

Users can update to Zulip version 11.6 or later, where this vulnerability has been patched.