CVE-2026-44463

HIGH

Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions

Title source: cna

Description

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/zed-industries/zed/security/advisories/GHSA-c3g6-c3ff-69cg

Scores

CVSS v3 8.6

EPSS 0.0021

EPSS Percentile 11.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-184 CWE-78

Status published

Products (2)

zed/zed < 0.229.0

zed-industries/zed < 0.229.0

Published May 28, 2026

Tracked Since May 28, 2026