An internal investigation recently uncovered a vulnerability (identified as CVE-2022-21706) in Zulip’s invitation links. Specifically, a reusable invitation link could be used to join a different organization than the one it was created for. As a result, there was a potential for users to join any organization without an invitation (and bypassing domain restrictions). This vulnerability was discovered by the Zulip security team, and has now been fixed for all Zulip Cloud organizations.