📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global data_breach Pharmaceutical HIGH 1h Global vulnerability Technology, Artificial Intelligence CRITICAL 1h Global vulnerability Information Technology CRITICAL 1h Global phishing Gaming and Entertainment HIGH 2h Global vulnerability Information Technology CRITICAL 2h Global phishing Law Enforcement, Cybercrime HIGH 2h Global vulnerability Artificial Intelligence MEDIUM 2h Global vulnerability Government CRITICAL 3h Global data_breach Government HIGH 4h Global vulnerability Enterprise Software / ERP Systems CRITICAL 4h Global data_breach Pharmaceutical HIGH 1h Global vulnerability Technology, Artificial Intelligence CRITICAL 1h Global vulnerability Information Technology CRITICAL 1h Global phishing Gaming and Entertainment HIGH 2h Global vulnerability Information Technology CRITICAL 2h Global phishing Law Enforcement, Cybercrime HIGH 2h Global vulnerability Artificial Intelligence MEDIUM 2h Global vulnerability Government CRITICAL 3h Global data_breach Government HIGH 4h Global vulnerability Enterprise Software / ERP Systems CRITICAL 4h Global data_breach Pharmaceutical HIGH 1h Global vulnerability Technology, Artificial Intelligence CRITICAL 1h Global vulnerability Information Technology CRITICAL 1h Global phishing Gaming and Entertainment HIGH 2h Global vulnerability Information Technology CRITICAL 2h Global phishing Law Enforcement, Cybercrime HIGH 2h Global vulnerability Artificial Intelligence MEDIUM 2h Global vulnerability Government CRITICAL 3h Global data_breach Government HIGH 4h Global vulnerability Enterprise Software / ERP Systems CRITICAL 4h
Vulnerabilities

CVE-2026-40300

Medium ⚡ Exploit Available
CWE-284 — Weakness Type
Published: May 12, 2026  ·  Modified: May 15, 2026  ·  Source: NVD
CVSS v3
6.5
🔗 NVD Official
📄 Description (English)

Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.

🤖 AI Executive Summary

Zulip Server versions prior to 12.0 contain an improper access control vulnerability (CVE-2026-40300) that allows low-privilege users to recover edited message content through the /api/v1/messages/{id}/history endpoint, bypassing the message_edit_history_visibility_policy setting. With a CVSS score of 6.5 and publicly available exploits, this poses a moderate risk to organizations using Zulip for sensitive communications. The vulnerability affects confidentiality of edited messages and requires immediate patching or compensating controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 22:42
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Zulip for internal communications—particularly in government agencies (NCA, CITC), banking sector (SAMA-regulated institutions), healthcare organizations, and energy companies—face risks of unauthorized disclosure of edited messages containing sensitive information. The vulnerability is particularly concerning for organizations handling classified communications or confidential business discussions. Government entities and financial institutions are at highest risk due to regulatory requirements around communication audit trails and data protection.
🏢 Affected Saudi Sectors
Government (NCA, CITC, Ministry communications) Banking and Financial Services (SAMA-regulated) Healthcare Energy (ARAMCO, utilities) Telecommunications Education Large enterprises with internal collaboration needs
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Upgrade Zulip Server to version 12.0 or later immediately

2. If immediate upgrade is not possible, implement the following compensating controls:

   - Restrict API access to /api/v1/messages/{id}/history endpoint using reverse proxy/WAF rules

   - Limit message history API access to administrative accounts only

   - Monitor and log all API calls to the history endpoint

3. Review audit logs for unauthorized access to message history endpoints

4. Notify users that edited message content may have been exposed



PATCHING GUIDANCE:

- Download Zulip Server 12.0+ from official repository

- Test in staging environment before production deployment

- Plan maintenance window for upgrade (typically 30-60 minutes)

- Backup database before upgrade



DETECTION RULES:

- Alert on repeated /api/v1/messages/{id}/history API calls from non-admin accounts

- Monitor for API calls with message IDs from messages edited within last 30 days

- Track failed authentication attempts to history endpoint

- Log all successful history endpoint queries with user context
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. ترقية خادم Zulip إلى الإصدار 12.0 أو أحدث فورًا

2. إذا لم يكن الترقية الفورية ممكنة، طبق الضوابط التعويضية التالية:

   - قيد الوصول إلى نقطة نهاية /api/v1/messages/{id}/history باستخدام قواعد WAF/Reverse Proxy

   - حدد وصول API لسجل الرسائل للحسابات الإدارية فقط

   - راقب وسجل جميع استدعاءات API لنقطة النهاية

3. راجع سجلات التدقيق للوصول غير المصرح به إلى نقاط نهاية سجل الرسائل

4. أخطر المستخدمين بأن محتوى الرسائل المعدلة قد يكون قد تم الكشف عنه



إرشادات التصحيح:

- قم بتنزيل Zulip Server 12.0+ من المستودع الرسمي

- اختبر في بيئة التطوير قبل نشر الإنتاج

- خطط نافذة صيانة للترقية (عادة 30-60 دقيقة)

- قم بعمل نسخة احتياطية من قاعدة البيانات قبل الترقية



قواعد الكشف:

- تنبيه على استدعاءات متكررة لـ /api/v1/messages/{id}/history من حسابات غير إدارية

- مراقبة استدعاءات API برسائل معدلة خلال آخر 30 يومًا

- تتبع محاولات المصادقة الفاشلة لنقطة النهاية

- تسجيل جميع استعلامات نقطة النهاية الناجحة مع سياق المستخدم
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.6.1.1 - Information access control ECC 2024 A.8.2.1 - User access management ECC 2024 A.8.2.3 - Management of privileged access rights ECC 2024 A.12.4.1 - Event logging
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Access Control Policy SAMA CSF PR.AC-1 - Processes and procedures for access management SAMA CSF DE.AE-1 - Audit and accountability events
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of duties ISO 27001:2022 A.8.2.1 - User registration and access provisioning ISO 27001:2022 A.8.2.3 - Management of privileged access rights ISO 27001:2022 A.8.2.4 - Access rights review ISO 27001:2022 A.8.3.2 - Restriction of access to information
📦 Affected Products / CPE 1 entries
zulip:zulip_server:10.0
📊 CVSS Score
6.5
/ 10.0 — Medium
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredL — Low / Local
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityN — None / Network
AvailabilityN — None / Network
📋 Quick Facts
Severity Medium
CVSS Score6.5
CWECWE-284
EPSS0.03%
Exploit ✓ Yes
Patch ✗ No
Published 2026-05-12
Source Feed nvd
🇸🇦 Saudi Risk Score
6.8
/ 10.0 — Saudi Risk
Priority: HIGH
🏷️ Tags
exploit-available CWE-284
🏢 Vendor Advisories
🔗 https://github.com/zulip/zulip/security/advisories/G... 🔗 https://github.com/zulip/zulip/security/advisories/G...
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.