Zulip Server 10.1 security release

We released Zulip Server 10.1 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 10.0.

All three security issues are low severity for installations where all Zulip organizations have the same set of trusted administrators.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation.

Commercial support for server upgrades is available for installations that purchase a Business or Enterprise plan. For community support, everyone is welcome to drop by the Zulip development community.

Notable changes

• CVE-2025-27149: “Public data” administrative data exports can leak metadata for non-exported messages and client user agent strings.
• CVE-2025-30368: Organization exports can be deleted by administrators of a different organization.
• CVE-2025-30369: Custom profile fields can be deleted by administrators of a different organization.
• Fixed typing notifications not being displayed in topic permalink views.
• Fixed a bug that could cause the compose box send button to be improperly disabled.
• Fixed multiple display bugs involving the general chat topic.
• Fixed multiple UI live-update issues with new groups-based permissions.
• Fixed exceptions using tusd with optional AWS_* settings not set.
• Fixed Python virtual environments being incorrectly created referencing /root/, which could cause the upgrade tool or installer to fail.
• Fixed instructions for upgrading to Ubuntu 24.04 on Zulip 10.x.
• Fixed an exception upgrading to 10.x on servers that had previously hand-deleted users or realms from the database (not using the official management commands) in a way that leaked DirectMessageGroup objects associated with them.
• Fixed the setting to never de-emphasize inactive channels, which broke in 10.0.
• Fixed several visual glitches with non-default font sizes.
• Fixed minor inbox and recent conversations glitches.
• Fixed a dark theme visual glitch with the to-do widget.
• Fixed an exception when setting a password longer than 72 characters.
• Fixed the “find organization” emails not being properly translated.
• Fixed left sidebar unread counts being misaligned on Safari.
• Fixed reply button text in inbox and recent conversations views.
• Optimized the main database query to fetch unread message counts.
• Tweaked notification banner for older unreads to be shown only in conversation views.
• Tweaked warning banner for mentioning a group none of whose recipients are subscribed to avoid generating duplicate banners.
• Extended nginx configuration override support.
• Updated translations.

Thanks to Katherine Stevens for reporting CVE-2025-27149. Thanks to Bechar Thakor for reporting CVE-2025-30369 via our HackerOne program. The Zulip security team discovered CVE-2025-30368 in an internal audit following the report of CVE-2025-30369.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

• Join chat.zulip.org and provide feedback directly to the development community!
• Follow us on LinkedIn, Mastodon, Twitter/X, or join our announcement mailing list.