{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22567", "assignerOrgId": "73c6f63b-efac-410d-a0a9-569700f85a04", "state": "PUBLISHED", "assignerShortName": "Zscaler", "dateReserved": "2026-01-07T15:52:48.033Z", "datePublished": "2026-02-23T16:13:32.608Z", "dateUpdated": "2026-02-23T18:41:19.949Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ZIA Admin UI", "vendor": "Zscaler", "versions": [{"lessThan": "6.2r", "status": "affected", "version": "6.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrew Allen Hess on behalf of Cyber Defense Team (Deutsche B\u00f6rse Group)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios."}], "value": "Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "73c6f63b-efac-410d-a0a9-569700f85a04", "shortName": "Zscaler", "dateUpdated": "2026-02-23T16:13:32.608Z"}, "references": [{"url": "https://help.zscaler.com/zia/release-upgrade-summary-2025?applicable_category=zscalertwo.net&deployment_date=2025-12-17&id=1538575"}], "source": {"discovery": "UNKNOWN"}, "title": "ZIA Admin UI Input Validation Bug", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T18:41:08.018240Z", "id": "CVE-2026-22567", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:41:19.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22567", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T18:41:08.018240Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:41:13.560Z"}}], "cna": {"title": "ZIA Admin UI Input Validation Bug", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Andrew Allen Hess on behalf of Cyber Defense Team (Deutsche B\u00f6rse Group)"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zscaler", "product": "ZIA Admin UI", "versions": [{"status": "affected", "version": "6.2", "lessThan": "6.2r", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://help.zscaler.com/zia/release-upgrade-summary-2025?applicable_category=zscalertwo.net&deployment_date=2025-12-17&id=1538575"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios.", "supportingMedia": [{"type": "text/html", "value": "Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "73c6f63b-efac-410d-a0a9-569700f85a04", "shortName": "Zscaler", "dateUpdated": "2026-02-23T16:13:32.608Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22567", "state": "PUBLISHED", "dateUpdated": "2026-02-23T18:41:19.949Z", "dateReserved": "2026-01-07T15:52:48.033Z", "assignerOrgId": "73c6f63b-efac-410d-a0a9-569700f85a04", "datePublished": "2026-02-23T16:13:32.608Z", "assignerShortName": "Zscaler"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zscaler:zscaler_internet_access_admin_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "D167C381-5347-49C9-B7BF-E34DF00D02D2", "versionEndExcluding": "6.2r", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios."}, {"lang": "es", "value": "Validaci\u00f3n indebida de la entrada proporcionada por el usuario en la UI de administraci\u00f3n de ZIA podr\u00eda permitir a un administrador autenticado iniciar funciones de backend a trav\u00e9s de campos de entrada espec\u00edficos en escenarios limitados."}], "id": "CVE-2026-22567", "lastModified": "2026-02-26T16:44:07.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "cve@zscaler.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-23T17:23:28.913", "references": [{"source": "cve@zscaler.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://help.zscaler.com/zia/release-upgrade-summary-2025?applicable_category=zscalertwo.net&deployment_date=2025-12-17&id=1538575"}], "sourceIdentifier": "cve@zscaler.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve@zscaler.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.2,6.2r)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ZIA Admin UI", "source": "cna", "vendor": "Zscaler"}, "product": "zia_admin_ui", "vendor": "zscaler"}], "analysis": {"en": {"generated_at": "2026-04-17T16:17:05.694026+00:00", "value": {"mitigation_remediation": ["Apply the latest Zscaler ZIA Admin UI patch that addresses the input validation flaw", "Restrict administrative accounts to the minimum necessary privileges and enforce strong authentication controls", "Enable and monitor audit logging for all Admin UI activity to detect abnormal or unauthorized actions"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized execution of backend functions by an authenticated administrator"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of Zscaler ZIA Admin UI that lack the specified input validation fix. No specific version range is provided, so any instance of the ZIA Admin UI prior to the corrective release is considered vulnerable.", "description_and_impact": "Improper validation of user\u2011supplied input in the ZIA Admin UI allows an authenticated administrator to trigger specific backend functions through certain input fields. This flaw can lead to the execution of unintended operations within the backend, potentially giving the attacker the ability to alter settings or perform actions that should be restricted to authorized contexts.", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high severity, but the EPSS score of less than 1% and absence from the CISA KEV catalog suggest a low likelihood of widespread exploitation. The attack vector requires an authenticated administrative session and is limited to specific UI scenarios, so the risk is primarily for organizations with compromised or mismanaged admin credentials."}}}}, "created": "2026-02-24T09:55:33.847121+00:00", "updated": "2026-04-17T16:30:05.821730+00:00", "vendors": ["zscaler", "zscaler$PRODUCT$zia_admin_ui"]}