Description
Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios.
Published: 2026-02-23
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized execution of backend functions by an authenticated administrator
Action: Immediate Patch
AI Analysis

Impact

Improper validation of user‑supplied input in the ZIA Admin UI allows an authenticated administrator to trigger specific backend functions through certain input fields. This flaw can lead to the execution of unintended operations within the backend, potentially giving the attacker the ability to alter settings or perform actions that should be restricted to authorized contexts.

Affected Systems

The vulnerability affects all versions of Zscaler ZIA Admin UI that lack the specified input validation fix. No specific version range is provided, so any instance of the ZIA Admin UI prior to the corrective release is considered vulnerable.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity, but the EPSS score of less than 1% and absence from the CISA KEV catalog suggest a low likelihood of widespread exploitation. The attack vector requires an authenticated administrative session and is limited to specific UI scenarios, so the risk is primarily for organizations with compromised or mismanaged admin credentials.

Generated by OpenCVE AI on April 17, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Zscaler ZIA Admin UI patch that addresses the input validation flaw
  • Restrict administrative accounts to the minimum necessary privileges and enforce strong authentication controls
  • Enable and monitor audit logging for all Admin UI activity to detect abnormal or unauthorized actions

Generated by OpenCVE AI on April 17, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Zscaler zscaler Internet Access Admin Portal
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:zscaler:zscaler_internet_access_admin_portal:*:*:*:*:*:*:*:*
Vendors & Products Zscaler zscaler Internet Access Admin Portal

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Zscaler
Zscaler zia Admin Ui
Vendors & Products Zscaler
Zscaler zia Admin Ui

Mon, 23 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios.
Title ZIA Admin UI Input Validation Bug
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Zscaler Zia Admin Ui Zscaler Internet Access Admin Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: Zscaler

Published:

Updated: 2026-02-23T18:41:19.949Z

Reserved: 2026-01-07T15:52:48.033Z

Link: CVE-2026-22567

cve-icon Vulnrichment

Updated: 2026-02-23T18:41:13.560Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T17:23:28.913

Modified: 2026-02-26T16:44:07.780

Link: CVE-2026-22567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses