Description
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
Published: 2026-06-12
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper authorization check in the handler for Zoom Workplace’s custom URL scheme enables an unauthenticated user to elevate privileges. The flaw is present in Android builds prior to version 7.0.4 and iOS builds prior to 7.0.3, allowing the attacker to gain elevated permissions without needing legitimate account credentials. This could lead to unauthorized data exposure, control over the application, or execution of unintended actions within the Zoom platform.

Affected Systems

The vulnerability affects Zoom Communications’ Zoom Workplace product on both Android and iOS platforms; specifically, Android releases before version 7.0.4 and iOS releases before version 7.0.3 are impacted. An update to the specified minimum versions removes the flaw and is the recommended mitigation.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. With no EPSS data available, the likelihood of exploitation cannot be quantified, but the lack of a KEV listing suggests no confirmed field‑used exploitation yet. The flaw’s exploitation requires network access to the device hosting Zoom Workplace, with no authentication needed, making it potentially reachable from external networks or internal untrusted networks. Once exploited, the attacker gains elevated privileges within the app context.

Generated by OpenCVE AI on June 12, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zoom Workplace on Android to version 7.0.4 or later; update iOS to version 7.0.3 or later
  • Revoke or disable the custom URL scheme functionality if it is no longer required for business processes
  • Restrict network access to devices running Zoom Workplace and enforce firewall rules to minimize exposure to potential exploit traffic

Generated by OpenCVE AI on June 12, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Privilege Escalation via Improper Authorization in Zoom Workplace URL Scheme
First Time appeared Zoom Communications
Zoom Communications zoom Workplace
Vendors & Products Zoom Communications
Zoom Communications zoom Workplace

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
Weaknesses CWE-939
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Zoom Communications Zoom Workplace
cve-icon MITRE

Status: PUBLISHED

Assigner: Zoom

Published:

Updated: 2026-06-12T19:05:19.573Z

Reserved: 2026-06-09T10:12:34.854Z

Link: CVE-2026-53407

cve-icon Vulnrichment

Updated: 2026-06-12T19:05:15.789Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:29.973

Modified: 2026-06-12T19:16:29.973

Link: CVE-2026-53407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:30:31Z

Weaknesses
  • CWE-939

    Improper Authorization in Handler for Custom URL Scheme