CVE-2026-53407

Vulnerability

Improper authorization in the handler for custom URL schemes in Zoom Workplace for Android before version 7.0.4 and for iOS before version 7.0.3 allows an unauthenticated attacker to trigger an escalation of privilege via network access. The vulnerability resides in the custom URL scheme handler, which fails to properly validate authorization before performing actions [1].

Exploitation

An attacker with network access can craft a malicious URL that, when clicked by a user (user interaction required), invokes the vulnerable custom URL scheme handler. The handler then executes actions without proper authorization, leading to privilege escalation. No authentication is needed [1].

Impact

Successful exploitation results in high confidentiality and integrity impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The attacker can potentially access sensitive data or modify data within the application's context, achieving privilege escalation from an unauthenticated state [1].

Mitigation

Zoom has released fixed versions: Zoom Workplace for Android 7.0.4 and for iOS 7.0.3. Users should apply the latest updates available at https://zoom.us/download. No workarounds are documented, and this CVE is not listed on the CISA Known Exploited Vulnerabilities catalog [1].