CVE-2025-47930 is a medium-severity authorization vulnerability affecting versions 10.0 up to but not including 10.3 of Zulip, an open-source team chat application. The flaw lies in the access control mechanism governing who can create public channels. Normally, Zulip restricts the creation of public channels to authorized users only. However, this vulnerability allows an attacker with limited privileges to circumvent these restrictions by first creating a private or web-public channel and then changing its privacy setting to public. This bypasses the intended access control checks. A similar bypass exists for creating private channels without permission, but it requires either interacting with the Zulip API directly or manipulating the HTML elements, as the private channel option is disabled in the user interface for unauthorized users. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system does not properly enforce authorization policies. The CVSS 4.0 base score is 5.3, reflecting a medium severity level, with network attack vector, low attack complexity, no user interaction, and requiring low privileges. No known exploits are reported in the wild as of the publication date, and version 10.3 contains a patch that addresses this issue. The vulnerability could allow unauthorized users to create public or private channels, potentially leading to information disclosure or unauthorized communication channels within an organization.

For European organizations using affected Zulip versions, this vulnerability could lead to unauthorized creation of public or private channels, undermining internal communication controls. Unauthorized public channels might expose sensitive discussions to unintended audiences if channel membership is not properly managed. Similarly, unauthorized private channels could be used to create hidden communication paths, complicating monitoring and compliance efforts. This could impact confidentiality and integrity of communications, especially in regulated industries such as finance, healthcare, or government sectors prevalent in Europe. The ability to bypass access controls without user interaction and with low privileges increases the risk of insider threats or compromised accounts exploiting this flaw. While availability impact is minimal, the breach of access control policies can lead to regulatory compliance issues under GDPR and other European data protection laws, potentially resulting in legal and reputational damage.

European organizations should promptly upgrade all Zulip instances to version 10.3 or later, where the vulnerability is patched. Until upgrades are completed, administrators should restrict channel creation permissions to trusted users only and monitor channel creation logs for suspicious activity. Implementing strict API access controls and auditing API usage can help detect attempts to exploit the vulnerability via API or HTML manipulation. Additionally, organizations should enforce multi-factor authentication and strong account security to reduce the risk of compromised accounts being used to exploit this flaw. Regular security training to raise awareness about unauthorized channel creation and periodic reviews of channel memberships and permissions can further mitigate risks. Network segmentation and monitoring of Zulip server traffic for anomalous behavior may also provide early detection of exploitation attempts.