We released Zulip Server 10.4 today! This is a security release, fixing an
important security issue (CVE-2025-52559), as well as several bugs.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. Zulip Cloud has already been …
We released Zulip Server 10.3 today! This is a security release, fixing a
security issue (CVE-2025-47930), as well as several bugs, most importantly an
issue with LDAP synchronization of user roles.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
…
We released Zulip Server 10.2 today! This is a security release, fixing a
critical security issue (CVE-2025-31478), as well as several bugs, most
importantly a collection of issues that prevented servers using some
S3-compatible block storage services from successfully uploading files on Zulip
Server …
We released Zulip Server 10.1 today! This is a security release, containing
important security fixes and cherry-picked changes since Zulip Server 10.0.
All three security issues are low severity for installations where all Zulip
organizations have the same set of trusted administrators.
Upgrading
We …
We released Zulip Server 9.4 today! This is a security release, containing
important security fixes and cherry-picked changes since Zulip Server 9.3.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation.
Commercial support …
We released Zulip Server 8.3 today! This is a security release, containing
important security fixes and cherry-picked changes since Zulip Server 8.2.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, …
We released Zulip Server 8.1 today! This is a security release, containing
important security fixes and cherry-picked changes since Zulip Server 8.0.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, …
We released Zulip Server 7.5 today! This is a security release, containing
important security fixes and cherry-picked changes since Zulip Server 7.4.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, …
We released Zulip Server 7.4 today! This is a security release, containing
important security fixes and cherry-picked changes since Zulip Server 7.3.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, …
We released Zulip Server 7.3 today! This is a security release, containing
important security fixes and cherry-picked changes since Zulip Server 7.2.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, …
We released Zulip Server 6.2 today! This is a security release, containing two
security fixes and several cherry-picked changes since Zulip Server 6.1.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, …
We released Zulip Server 5.7 today! This is a security release, containing a
security fix and several cherry-picked changes since Zulip Server 5.6.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, best-effort …
We released Zulip Server 5.6 today! This is a security release, containing an
important security fix and several cherry-picked changes since Zulip Server 5.5.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need …
We released Zulip Server 5.5 today! This is a security release, containing an
important security fix and several cherry-picked changes since Zulip Server 5.4.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need …
Administrators of Zulip Cloud organizations can
export public data
from their organization via the organization settings menu. The exports include
all the data that appears in public streams, and can be used to migrate from
Zulip Cloud to self-hosting Zulip. Note that exporting private data is a
separate …
We released Zulip Server 5.4 today! This is a security release, containing a
security fix and several cherry-picked changes since Zulip Server 5.3.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, best-effort …
We released Zulip Server 5.3 today! This is a security release, containing a
minor security fix and several cherry-picked changes since Zulip Server 5.2.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, …
We released Zulip Server 4.11 today! This is a security release, containing a
minor security fix.
Upgrading
We recommend that all installations upgrade to this new release. See the
upgrade instructions
in the Zulip documentation. If you need help, best-effort support is available
on chat.zulip.org.
…
An internal investigation recently uncovered a vulnerability (identified as
CVE-2022-21706) in Zulip’s invitation links. Specifically, a
reusable invitation link
could be used to join a different organization than the one it was created for.
As a result, there was a potential for users to join any organization …
We released Zulip Server 4.10 today! This is a security release, containing
important security fixes, as well as important cherry-picked bug fixes, since
Zulip Server 4.9.
Upgrading
We strongly recommend that all installations upgrade to this new release. See
the
upgrade instructions
in the Zulip documentation. …
We released Zulip Server 4.9 today! This is a security release, containing
critical security fixes, as well as important cherry-picked bug fixes, since
Zulip Server 4.8.
Upgrading
We strongly recommend that all installations upgrade to this new release. See
the
upgrade instructions
in the Zulip documentation. …
This is an important security announcement for Zulip installations running the
main (development) branch of the Zulip server. The main branch of Zulip
Server, since
a commit merged on December 4th,
was vulnerable to a stored cross-site scripting vulnerability in stream names. A
malicious user with permission …
We released Zulip Server 4.8 today! This is a security release, containing
important security fixes, as well as important cherry-picked bug fixes, since
Zulip Server 4.7.
Deprecating support for Ubuntu 18.04 Bionic
With this release, we are deprecating support for Ubuntu 18.04 Bionic.
Specifically, …
We released Zulip Server 4.7 today! This is a security release, containing minor
security fixes since Zulip Server 4.6.
What’s new
This release fixes CVE-2021-41115, which prevents organization administrators
from affecting the server with a regular expression denial-of-service attack
through linkifier …
We released Zulip Server 4.4 today! This is a security release, containing
important security fixes, as well as important cherry-picked bug fixes, since
Zulip Server 4.3.
What’s new
This release fixes the following issues:
Added a tool to fix potential database corruption caused by host OS upgrades;
…
Zulip Server 3.4 was released today! This is a security release, containing
important security updates for the 3.x series of Zulip Server.
This will likely be the last release in the 3.x stable release series, as we are
getting close to publishing the first release candidate for Zulip 4.0.
What’s new
…
On Thursday, March 18, 2021, Zulip Cloud had an important security incident. In
short, a subtle caching bug resulted in up to 149 users being shown a broken
read-only version of the Zulip UI from one of 26 other users whose data was
incorrectly cached.
This malfunctioning interface did not display …
Today we released Zulip Desktop 5.4.3, fixing a security issue:
CVE-2020-24582: Zulip Desktop failed to escape various strings interpolated
into the user interface HTML. This could result in code execution when
connecting to a maliciously altered Zulip server.
The Zulip security team discovered this …
We released Zulip Server 2.1.7 today. This is a security release, containing a
couple cherry-picked changes since Zulip Server 2.1.6.
What’s new
This releases fixes multiple important bugs in previous versions of Zulip. It
contains fixes for the following issues:
CVE-2020-15070: Fix privilege escalation …
We released Zulip Server 2.1.5 today. This is a security release, containing a
dozen cherry-picked changes since Zulip Server 2.1.4.
What’s new
This releases fixes several important bugs in previous versions of Zulip. It
contains fixes for the following issues:
CVE-2020-12759: Fix reflected XSS vulnerability …
Today we released Zulip Desktop 5.2.0, fixing a critical security issue:
CVE-2020-12637: Zulip Desktop 0.5.10 introduced a certificate validation
handler to support the undocumented ignoreCerts option available by manually
editing the configuration file. However, the handler inadvertently disabled
…
We released Zulip Server 2.1.3 today. This is a security release, containing a
few dozen cherry-picked changes since Zulip 2.1.2.
What’s new
This releases fixes several important bugs in previous versions of Zulip. It
contains fixes for the following issues:
CVE-2020-9444: Reverse tabnabbing vulnerability …
Today we released Zulip Desktop 5.0.0, fixing multiple critical security issues
as well as several other important issues:
CVE-2020-10856: Remote code execution due to missing context isolation.
CVE-2020-10857: Remote code execution due to unsafe use of shell.openExternal
and shell.openItem.
Downloaded …
Today we released Zulip Desktop 4.0.3, fixing a critical security issue:
CVE-2020-9443: Web security was disabled in the Electron webview.
This is a critical security issue because Zulip’s security model for uploaded
files relies on the browser (in this case Electron) enforcing the web security
model. …
We released Zulip Server 2.1.2 today. This is a security release, containing a
few dozen cherry-picked changes since Zulip 2.1.1.
What’s new
This releases fixes several important bugs in previous versions of Zulip. It
contains fixes for the following issues:
Corrected fix for CVE-2019-19775 (the original …
We released Zulip Server 2.0.8 today. This is a security release, containing a
handful of cherry-picked changes since Zulip 2.0.7.
What’s new
This release fixes a security bug in Zulip 1.9.0 and greater:
CVE-2019-19775: Close open redirect in thumbnail view.
Upgrading
All installations should upgrade …
We released Zulip Server 2.0.7 today. This is a security release, containing a
handful of cherry-picked changes since Zulip 2.0.6.
What’s new
This release fixes an important security bug in previous versions of Zulip.
Quoting from
the commit
fixing it:
CVE-2019-18933: Fix insecure account creation via …
We released Zulip Server 2.0.5 today. This is a security release, containing a
handful of cherry-picked changes since Zulip 2.0.4.
What’s new
This releases fixes a few important bugs in previous versions of Zulip. It
contains fixes for the following security issues:
CVE-2019-16215: Fix DoS vulnerability …
Today we’re releasing Zulip Server 1.7.2. This is a security release, containing
just a handful of cherry-picked changes since 1.7.1.
What’s new
This release fixes several security issues:
CVE-2018-9986: Fix XSS issues with frontend markdown processor.
CVE-2018-9987: Fix XSS issue with muting notifications.
…
Today we’re releasing Zulip Server 1.7.1. This is a security release, containing
just a handful of cherry-picked changes since 1.7.0.
To readers in the US: happy Thanksgiving! We generally avoid making a security
release just before a major holiday, but we’ve made an exception in this case
because the …
Tim Abbott 
Alex Vandiver 
Greg Price 
Matt Keller 
Anders Kaseorg