Zoom is warning customers of a critical vulnerability in its Windows desktop client and related software that could allow an unauthenticated attacker to take over user accounts. The flaw, tracked as CVE-2026-53412, was discovered internally by Zoom and carries a severity score of 9.8 out of 10.

According to the company’s advisory, the issue is an improper input validation vulnerability that affects Zoom Workplace for Windows before version 7.0.0, the Windows VDI Client before versions 7.0.10, 6.6.15, and 6.5.18, and the Meeting SDK for Windows before version 7.0.0. Zoom Workplace, the rebranded successor to the original Zoom app, is a widely used collaboration platform for video meetings, chat, VoIP calling, and document collaboration, with the Windows client deployed across millions of individual and enterprise environments.

Zoom’s advisory states that the flaw “may allow an unauthenticated user to conduct an account takeover via network access,” but the company has not released technical details about the vulnerability or how it could be exploited. Zoom is urging all affected users to update to the latest available versions to mitigate the risk.

Additional high-severity fixes

Alongside the critical bug, Zoom’s latest security update addresses three high-severity flaws that require local, authenticated access to exploit:

  • CVE-2026-53410: a time-of-check to time-of-use (TOCTOU) race condition affecting Zoom Workplace for Windows before 7.0.5, the Workplace VDI Client and VDI Plugin before 6.5.17/6.6.14, Zoom Rooms for Windows before 7.0.5, and Remote Control for Zoom Contact Center before 7.0.0. It could let a local authenticated user escalate privileges during installation or uninstallation.
  • CVE-2026-53409: an improper privilege management flaw in Zoom Rooms for Windows before version 7.1.0 that could allow a local authenticated user to escalate privileges.
  • CVE-2026-53411: an improper input validation flaw in the Zoom Workplace VDI Plugin for Windows before version 6.6.14 that could similarly enable local privilege escalation.

Zoom says there is currently no evidence that any of these vulnerabilities, including the critical account takeover flaw, are being exploited in the wild. Given the scale of Zoom’s Windows client deployment and the critical severity of CVE-2026-53412, security teams should prioritize patching across managed endpoints and confirm that automated update mechanisms have applied the fixed versions.