CVE-2024-21630 is a medium-severity vulnerability identified in version 8.0 of Zulip, an open-source team collaboration platform. The vulnerability is classified under CWE-862, which pertains to missing authorization. Specifically, this issue arises when a Zulip installation is configured to allow non-admin users to invite others via multi-use invitations, while simultaneously restricting the ability to invite users to streams only to administrators. The vulnerability permits non-admin users with invitation privileges to generate multi-use invitation links that can be used to add new users to streams that the inviter already has access to. However, it does not allow invitations to arbitrary streams outside the inviter's visibility. This flaw is similar to CVE-2023-32677, which involved single-use invitation links, but CVE-2024-21630 extends the risk to multi-use invitations. The root cause is an authorization bypass where the system fails to properly enforce permissions on multi-use invitation creation. Version 8.1 of Zulip addresses this vulnerability by correcting the authorization checks. As a temporary mitigation, administrators can restrict the ability to send invitations only to users who also have permission to add users to streams, thereby aligning invitation rights with stream membership control. The CVSS v3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, limited confidentiality impact, and no impact on integrity or availability. No known exploits are reported in the wild at this time.

For European organizations using Zulip version 8.0, this vulnerability could lead to unauthorized user invitations within existing streams, potentially exposing sensitive internal communications to unintended participants. Although the impact on confidentiality is limited to streams visible to the inviter, this could still result in information leakage within teams or departments. The integrity and availability of the platform remain unaffected. The risk is particularly relevant for organizations that have delegated invitation privileges to non-admin users without aligning stream invitation permissions, increasing the chance of inadvertent or malicious misuse. Given the collaborative nature of Zulip, unauthorized access to streams could disrupt trust and confidentiality in internal communications, which is critical for compliance with data protection regulations such as GDPR. However, since exploitation requires privileges to send invitations and does not allow arbitrary stream access, the threat is somewhat contained. The absence of known exploits reduces immediate risk but does not eliminate the need for prompt remediation.

European organizations should upgrade Zulip installations from version 8.0 to version 8.1 or later, where the authorization checks have been fixed. Until the upgrade can be performed, administrators should restrict the ability to send invitations exclusively to users who also have permission to add users to streams, ensuring that invitation capabilities are tightly controlled and aligned with stream membership rights. Additionally, organizations should audit current user permissions related to invitations and stream access to identify and remediate any misconfigurations. Monitoring invitation link usage and implementing logging to detect unusual invitation activity can provide early warning of potential abuse. Educating users about the risks of sharing multi-use invitation links and enforcing policies on invitation management will further reduce exposure. Finally, organizations should maintain up-to-date backups and incident response plans to address any potential misuse swiftly.