Description
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.
Published: 2026-05-28
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zed, a code editor, has a flaw in its terminal tool permission system that was present in all releases before 0.229.0. The flaw allows an attacker to prepend environment variable assignments to an allowlisted command. Because the permission system ignores these assignments, the command is executed with the altered environment, effectively hijacking program behavior such as the PAGER variable and enabling execution of arbitrary code. This is a classic example of a command injection weakness (CWE‑78) with additional pitfalls in how allowlists are evaluated (CWE‑184). The impact is that any user who can launch Zed and craft the command string can run arbitrary commands with the privileges of the Zed process, compromising confidentiality, integrity, and availability of the host.

Affected Systems

All versions of the Zed application released by Zed Industries prior to 0.229.0 are affected. The vulnerability is mitigated in version 0.229.0 and later.

Risk and Exploitability

The CVSS score of 8.6 indicates a high-risk vulnerability. Although the EPSS score is not available and the issue is not listed in CISA’s KEV catalog, the severity and the lack of notable countermeasures suggest that the bug could be actively exploited by users with local access to the system. The likely attack vector is local, relying on the ability to start Zed and supply a crafted command string. An attacker can therefore achieve arbitrary command execution on the host machine.

Generated by OpenCVE AI on May 28, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zed to version 0.229.0 or later, which removes the environment variable bypass available in earlier releases.
  • If upgrading is not immediately feasible, remove or unset the PAGER environment variable before starting Zed to prevent hijacking of the pager program.
  • For environments where recompilation is possible, patch the terminal tool permission logic to strip or reject environment variable assignments from allowlisted commands.

Generated by OpenCVE AI on May 28, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Zed-industries
Zed-industries zed
Vendors & Products Zed-industries
Zed-industries zed

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.
Title Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions
Weaknesses CWE-184
CWE-78
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Zed-industries Zed
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T16:15:13.826Z

Reserved: 2026-05-06T15:49:25.193Z

Link: CVE-2026-44463

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T17:16:29.810

Modified: 2026-05-28T17:16:29.810

Link: CVE-2026-44463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T18:30:23Z

Weaknesses