Skip to main content

Zoom Workplace EUVDEUVD-2026-36522

| CVE-2026-53407 CRITICAL
Improper Authorization in Handler for Custom URL Scheme (CWE-939)
2026-06-12 Zoom GHSA-xm5c-4gf9-qf8c
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Zoom) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Custom URL scheme handlers are reached by the victim opening an attacker-supplied link or co-resident app, so UI:R is more honest than the vendor's UI:N; impact remains total.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Zoom).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 26, 2026 - 21:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 21:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 21:07 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 21:07 NVD
HIGH CRITICAL
CVSS changed
Jun 26, 2026 - 21:07 NVD
8.1 (HIGH) 9.8 (CRITICAL)
Patch available
Jun 12, 2026 - 20:01 EUVD
Analysis Generated
Jun 12, 2026 - 19:22 vuln.today
CVE Published
Jun 12, 2026 - 17:56 cve.org
HIGH 8.1

DescriptionNVD

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.

AnalysisAI

Privilege escalation in the Zoom Workplace mobile app (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler that processes the app's custom URL scheme, allowing an unauthenticated actor to elevate privileges via network access. Zoom self-reported and patched the flaw, and no public exploit identified at time of analysis; EPSS remains very low (0.04%, 12th percentile) and CISA SSVC marks exploitation as none, indicating no observed activity despite the 9.8 CVSS score.

Share

EUVD-2026-36522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy