The zip format encrypts using AES based on the user's password as the key. If the user's password is too long for the AES key, then it uses the hashed password instead. After hashing, there is no way to distinguish whether or not the key is a hash. This means both the original password or the hash can be used as the correct password.

I don't think it's a security vulnerability. Also, technically, these zip files may have more valid passwords, because by fixing the output of a hash function, there may be many inputs that produces the same output, although you can only find them if you know how to reverse a hash function.