Skip to main content

Zoom Workplace CVE-2026-53408

| EUVDEUVD-2026-36523 HIGH
Improper Authorization in Handler for Custom URL Scheme (CWE-939)
2026-06-12 Zoom GHSA-589r-wg5p-vwjq
8.1
CVSS 3.1 · Vendor: Zoom
Share

Severity by source

Vendor (Zoom) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable custom URL handler, low complexity, requires an existing low-privilege Zoom session context (PR:L), no user interaction, high C/I impact on the user's Zoom data with no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Zoom).

CVSS VectorVendor: Zoom

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 20:01 EUVD
Analysis Generated
Jun 12, 2026 - 19:22 vuln.today
CVE Published
Jun 12, 2026 - 17:57 cve.org
HIGH 8.1

DescriptionCVE.org

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.

AnalysisAI

Privilege escalation in Zoom Workplace mobile clients (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler for a custom URL scheme, allowing a remote attacker to elevate privileges over network access. The CVSS 8.1 rating reflects high confidentiality and integrity impact with low-complexity exploitation, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Technical ContextAI

Zoom Workplace is Zoom Communications' unified mobile collaboration client for Android and iOS that registers custom URL schemes (e.g., zoommtg://) so other apps and web pages can launch Zoom functionality with parameters. The root cause is CWE-939 (Improper Authorization in Handler for Custom URL Scheme), where the deep-link/intent handler accepts URL-borne actions without sufficiently validating the caller's authorization context, so a network-delivered URL can invoke privileged in-app actions intended for trusted callers. On Android the entry point is typically an exported Activity bound to an intent-filter scheme, and on iOS it is a registered URL type routed through the application's URL handler.

RemediationAI

Vendor-released patch: upgrade Zoom Workplace to 7.0.4 or later on Android and 7.0.3 or later on iOS per Zoom Security Bulletin ZSB-26010 (https://www.zoom.com/en/trust/security-bulletin/zsb-26010), pushed via MDM where possible to enforce minimum versions. Where immediate patching is not feasible, compensating controls include using MDM/MAM policies to block installation of untrusted third-party apps that could invoke the Zoom URL scheme, instructing users not to click zoommtg:// or related Zoom deep links from untrusted email, chat, or web sources, and on managed Android devices restricting which apps can send implicit intents to Zoom; note these controls degrade legitimate deep-link workflows such as one-tap meeting joins from calendar invites and SSO portals.

Share

CVE-2026-53408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy