Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable custom URL handler, low complexity, requires an existing low-privilege Zoom session context (PR:L), no user interaction, high C/I impact on the user's Zoom data with no availability effect.
Primary rating from Vendor (Zoom).
CVSS VectorVendor: Zoom
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
AnalysisAI
Privilege escalation in Zoom Workplace mobile clients (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler for a custom URL scheme, allowing a remote attacker to elevate privileges over network access. The CVSS 8.1 rating reflects high confidentiality and integrity impact with low-complexity exploitation, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Technical ContextAI
Zoom Workplace is Zoom Communications' unified mobile collaboration client for Android and iOS that registers custom URL schemes (e.g., zoommtg://) so other apps and web pages can launch Zoom functionality with parameters. The root cause is CWE-939 (Improper Authorization in Handler for Custom URL Scheme), where the deep-link/intent handler accepts URL-borne actions without sufficiently validating the caller's authorization context, so a network-delivered URL can invoke privileged in-app actions intended for trusted callers. On Android the entry point is typically an exported Activity bound to an intent-filter scheme, and on iOS it is a registered URL type routed through the application's URL handler.
RemediationAI
Vendor-released patch: upgrade Zoom Workplace to 7.0.4 or later on Android and 7.0.3 or later on iOS per Zoom Security Bulletin ZSB-26010 (https://www.zoom.com/en/trust/security-bulletin/zsb-26010), pushed via MDM where possible to enforce minimum versions. Where immediate patching is not feasible, compensating controls include using MDM/MAM policies to block installation of untrusted third-party apps that could invoke the Zoom URL scheme, instructing users not to click zoommtg:// or related Zoom deep links from untrusted email, chat, or web sources, and on managed Android devices restricting which apps can send implicit intents to Zoom; note these controls degrade legitimate deep-link workflows such as one-tap meeting joins from calendar invites and SSO portals.
More in Zoom Workplace
View allPrivilege escalation in the Zoom Workplace mobile app (Android before 7.0.4, iOS before 7.0.3) stems from improper autho
Information disclosure in Zoom Workplace for iOS before version 7.0.0 allows an authenticated user with physical access
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36523
GHSA-589r-wg5p-vwjq