Unrated severityNVD Advisory· Published Jul 22, 2022· Updated Apr 23, 2025

Zulip Server insufficient authorization for changing bot roles

CVE-2022-31168

Description

Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the Who can create bots permission to administrators only, and change the ownership of existing bots.

Affected products

Zulip/Zulipv5
Range: < 5.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034mitrex_refsource_MISC
github.com/zulip/zulip/releases/tag/5.5mitrex_refsource_MISC
github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000