Description
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
Published: 2026-06-12
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper authorization issue in Zoom Workplace’s handler for a custom URL scheme, allowing an unauthenticated user to trigger privileged network operations and thereby elevate privileges. This weakness is identified as CWE‑939. The CVSS score of 8.1 reflects high severity and indicates the potential for significant compromise of confidentiality or integrity if exploited.

Affected Systems

Zoom Communications’ Zoom Workplace app on Android versions earlier than 7.0.4 and on iOS versions earlier than 7.0.3 is affected. All devices running those versions that host the app are at risk.

Risk and Exploitability

The flaw does not require authentication, so an attacker could trigger it by injecting a crafted custom URL scheme or employing an inter‑app attack to invoke Zoom Workplace, leading to privileged network access. Based on the description, it is inferred that this constitutes a network-based attack vector. The EPSS score is not available, but the CVSS score of 8.1 signals high risk. The vulnerability is not listed in CISA’s KEV catalog, and no public exploit is reported, yet the ability for an unprivileged user to gain elevated access remains clear.

Generated by OpenCVE AI on June 12, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zoom Workplace on Android to 7.0.4 or newer and on iOS to 7.0.3 or newer to receive the authorization fix.
  • If an immediate update is infeasible, disable or tightly restrict the custom URL scheme handling for Zoom Workplace so that only authenticated sources can invoke it.
  • Continuously monitor outbound network traffic from Zoom Workplace for anomalous connections and investigate any unexpected activity.

Generated by OpenCVE AI on June 12, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unprivileged Custom URL Scheme Privilege Escalation in Zoom Workplace

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Zoom Communications
Zoom Communications zoom Workplace
Vendors & Products Zoom Communications
Zoom Communications zoom Workplace

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
Weaknesses CWE-939
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Zoom Communications Zoom Workplace
cve-icon MITRE

Status: PUBLISHED

Assigner: Zoom

Published:

Updated: 2026-06-12T18:57:10.848Z

Reserved: 2026-06-09T10:12:34.854Z

Link: CVE-2026-53408

cve-icon Vulnrichment

Updated: 2026-06-12T18:57:02.658Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:30.093

Modified: 2026-06-12T19:16:30.093

Link: CVE-2026-53408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:00:18Z

Weaknesses
  • CWE-939

    Improper Authorization in Handler for Custom URL Scheme