Description
Improper neutralization of special elements in user-supplied input within the ZIA Admin UI could allow an authenticated administrator to access or retrieve unauthorized internal information in rare conditions.
Published: 2026-02-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized internal information disclosure
Action: Patch Now
AI Analysis

Impact

An authenticated administrator can, under rare conditions, retrieve internal data that should not be accessible. The flaw arises from improper handling of special characters in user input within the Admin UI, leading to an information disclosure vulnerability. The associated weakness is input validation failure (CWE‑20). As a result, confidentiality of internal data may be compromised for those with administrative access.

Affected Systems

The vulnerability affects the Zscaler ZIA Admin UI. No specific version numbers are listed, but the vendor advisory recommends applying the latest update released on 2026‑02‑12 or later.

Risk and Exploitability

The CVSS base score of 5.5 indicates a moderate severity. The EPSS score of < 1% suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated administrator, so the threat is limited to those with privileged access and operates under rare conditions, reducing overall risk but still actionable.

Generated by OpenCVE AI on April 18, 2026 at 11:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Zscaler ZIA Admin UI patch or upgrade to a release from 2026‑02‑12 or later, as documented in the vendor advisory.
  • Restrict administrative access by limiting the number of privileged accounts and enforcing least‑privilege policies.
  • Review audit logs for unusual data retrieval activity and consider disabling the affected UI features for non‑essential users.

Generated by OpenCVE AI on April 18, 2026 at 11:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Zscaler zscaler Internet Access Admin Portal
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:zscaler:zscaler_internet_access_admin_portal:*:*:*:*:*:*:*:*
Vendors & Products Zscaler zscaler Internet Access Admin Portal

Wed, 25 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Zscaler
Zscaler zia Admin Ui
Vendors & Products Zscaler
Zscaler zia Admin Ui

Mon, 23 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements in user-supplied input within the ZIA Admin UI could allow an authenticated administrator to access or retrieve unauthorized internal information in rare conditions.
Title Unauthorized information retrieval in ZIA Admin UI
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Zscaler Zia Admin Ui Zscaler Internet Access Admin Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: Zscaler

Published:

Updated: 2026-02-23T18:47:28.205Z

Reserved: 2026-01-07T15:52:48.033Z

Link: CVE-2026-22568

cve-icon Vulnrichment

Updated: 2026-02-23T18:47:21.196Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T17:23:29.073

Modified: 2026-02-26T16:43:14.953

Link: CVE-2026-22568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses