CVE-2026-44461 - Vulnerability Details

- Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

Description

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1.

Published: 2026-05-28

Score: 8.6 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In Zed 0.226.x and earlier, the editor constructs SSH and WSL remote shell commands by prepending "exec env ..." to a string that includes environment variable keys unquoted and unvalidated. When an attacker can supply a key containing shell expansion syntax—such as $(command)—that syntax is interpreted by the remote shell, allowing the attacker to run arbitrary commands as the victim user. This flaw is a classic example of CWE‑78, the use of unsafe input in an operating system command execution context.

Affected Systems

Zed Industries’ Zed code editor is affected, specifically all releases older than 0.227.1. The vulnerability exists for all platforms that support SSH or WSL remote terminal sessions.

Risk and Exploitability

The vulnerability carries a CVSS base score of 8.6, indicating a high severity. The EPSS score is not publicly available, but the nature of the flaw—remote command execution via a locally controllable environment variable—suggests a high likelihood of exploitation if the environment variable can be influenced. The attack vector is inferred to be through project terminal settings or similar configuration interfaces that allow an attacker to set environment variable names; the attack requires network access to the remote host via SSH/WSL and local control over Zed’s configuration. The vulnerability is not currently listed in CISA’s KEV catalog, but the high impact warrants pre-emptive action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zed-industries

zed

affected

Version	Status	Constraints
`< 0.227.1`	affected	—

No data.

Vendor Product Confidence Versions

Zed-industries

Zed

100%

Version	Status	Scheme	Platform
`[0,0.227.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Zed to version 0.227.1 or later, where the vulnerable code path has been fixed.
If an upgrade cannot be applied immediately, modify any project terminal settings that allow custom environment variable keys so that key names contain no shell metacharacters or expansion syntax; consider escaping or sanitising the values used as keys.
Until the patch is available, disable or restrict the SSH/WSL remote terminal functionality so that no remote shell commands are executed from the editor.

Generated by OpenCVE AI on May 28, 2026 at 18:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/zed-industries/zed/security/advisories/GHSA-63qj-jc2q-7hg5

History

Thu, 28 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zed-industries Zed-industries zed
Vendors & Products		Zed-industries Zed-industries zed

Thu, 28 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1.
Title		Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)
Weaknesses		CWE-78
References		https://github.com/zed-industries/zed/security/advisories/GHSA-63qj-jc2q-7hg5
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Zed-industries Zed

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-28T16:08:07.304Z

Updated: 2026-05-28T17:28:02.304Z

Reserved: 2026-05-06T15:49:25.193Z

Link: CVE-2026-44461

Vulnrichment

Updated: 2026-05-28T17:27:58.733Z

NVD

Status : Received

Published: 2026-05-28T17:16:28.853

Modified: 2026-05-28T18:16:32.990

Link: CVE-2026-44461

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T18:30:23Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object