VYPR
← All advisories
High severity8.1NVD Advisory· Published Jun 12, 2026

CVE-2026-53408

CVE-2026-53408

Description

Improper authorization in Zoom Workplace's custom URL scheme handler allows unauthenticated attackers to escalate privileges via network access, requiring user interaction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper authorization in Zoom Workplace's custom URL scheme handler allows unauthenticated attackers to escalate privileges via network access, requiring user interaction.

Vulnerability

The vulnerability resides in the handler for custom URL schemes in Zoom Workplace for Android before version 7.0.4 and for iOS before version 7.0.3. Due to improper authorization, an unauthenticated user can trigger an escalation of privilege via network access [1].

Exploitation

An attacker with network access must convince a user to interact with a maliciously crafted URL (user interaction is required, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The attacker can exploit the improper authorization to perform actions with elevated privileges [1].

Impact

Successful exploitation results in high confidentiality and integrity impact, with no effect on availability (C:H/I:H/A:N). The attacker gains unauthorized access to sensitive information and the ability to modify data, effectively achieving privilege escalation [1].

Mitigation

Zoom has addressed this issue in Zoom Workplace version 7.0.4 for Android and version 7.0.3 for iOS. Users are advised to update to the latest available versions. No workarounds have been disclosed [1].

References
  1. ZSB-26010

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.