Description
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0.
Published: 2026-05-28
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Zed’s terminal tool permission system permits an attacker to embed Bash arithmetic expansion ($((…))) within an allowlisted command. This injection allows the execution of arbitrary shell commands inside the editor’s integrated terminal. The weakness is a command‑injection vulnerability (CWE‑78). Based on the description, it is inferred that the attack requires an attacker who can run a crafted command inside the Zed terminal, and that the injected commands execute with the privileges of the Zed process.

Affected Systems

All releases of Zed Industries’ Zed editor before version 0.229.0 are vulnerable. Users on those versions should upgrade to 0.229.0 or later.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is local, requiring the attacker to have access to the Zed editor and its integrated terminal. The privilege impact is that injected code runs with the same rights as the Zed process, so a user running Zed with elevated privileges could lead to system compromise.

Generated by OpenCVE AI on May 28, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zed to version 0.229.0 or later to receive the official fix.
  • If an immediate upgrade is not feasible, run Zed with the lowest privileges necessary and avoid enabling terminal tool permissions that allow arbitrary commands.
  • Configure Zed’s terminal settings to permit only a safe subset of commands or disable features that support Bash arithmetic expansion.

Generated by OpenCVE AI on May 28, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Zed-industries
Zed-industries zed
Vendors & Products Zed-industries
Zed-industries zed

Thu, 28 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0.
Title Zed: Allowlist Bypass via Bash Arithmetic Expansion in Terminal Tool Permissions
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Zed-industries Zed
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T19:10:59.051Z

Reserved: 2026-05-06T15:49:25.193Z

Link: CVE-2026-44466

cve-icon Vulnrichment

Updated: 2026-05-28T19:10:16.026Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T17:16:30.317

Modified: 2026-05-28T18:55:06.837

Link: CVE-2026-44466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses