Description
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0.
Published: 2026-05-28
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zed’s terminal tool permission system can be overridden by chaining bash variable expansions (${var@P}), enabling an attacker to run arbitrary commands that normally would be confined to an allowlisted prefix. The flaw does not directly expose sensitive data but allows full control over the runtime environment within the editor, thereby compromising confidentiality, integrity, and availability of local systems.

Affected Systems

Zed Industries Zed code editor versions prior to 0.229.0 are affected. No specific patch version list is provided beyond the fix in 0.229.0.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate to high risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. The attack vector is inferred to be local; a user with possession of the editor must inject the ${var@P} expression into a terminal session to exploit the flaw. Successful exploitation results in arbitrary command execution under the privileges of the running user within the editor’s terminal.

Generated by OpenCVE AI on May 28, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Zed 0.229.0 or later to apply the vendor patch.
  • Restrict terminal access to trusted commands by disabling or sanitizing bash variable expansions within the editor configuration.
  • Monitor terminal sessions for unexpected variable expansion patterns and audit any unauthorized command executions.

Generated by OpenCVE AI on May 28, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Zed-industries
Zed-industries zed
Vendors & Products Zed-industries
Zed-industries zed

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0.
Title Zed: Allowlist Bypass via Bash Variable Expansion Chain in Terminal Tool Permissions
Weaknesses CWE-184
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L'}

Subscriptions

Zed-industries Zed
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T16:13:49.443Z

Reserved: 2026-05-06T15:49:25.193Z

Link: CVE-2026-44462

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T17:16:29.623

Modified: 2026-05-28T17:16:29.623

Link: CVE-2026-44462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T18:30:23Z

Weaknesses