CVE-2026-27967
Symlink Escape in Zed Agent Files Allows Unauthorized File Access
Publication date: 2026-02-26
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zed | zed | to 0.225.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27967 is a high-severity symlink escape vulnerability in the Zed code editor's Agent file tools, specifically in the `read_file` and `edit_file` functions, affecting versions prior to 0.225.9."}, {'type': 'paragraph', 'content': 'The vulnerability allows an attacker to read and write files outside the intended project directory by exploiting symbolic links within a project that point to external file system locations.'}, {'type': 'paragraph', 'content': 'This bypasses workspace boundary protections and privacy controls such as `file_scan_exclusions` and `private_files`, potentially exposing sensitive user data to the language model (LLM).'}, {'type': 'paragraph', 'content': 'The root cause is that the tools validate file paths using worktree-relative paths and exclusion patterns but do not resolve symbolic links to verify if the target file resides within the project directory. Path resolution concatenates paths without canonicalization or symlink resolution, allowing symlinks to escape the project boundary.'}, {'type': 'paragraph', 'content': 'Although the system tracks external symlinks and blocks path traversal attempts like `../`, it fails to enforce the critical check that prevents access to files outside the project, enabling this escape.'}] [1]
How can this vulnerability impact me? :
If you open a project in Zed that contains malicious symbolic links pointing to sensitive files outside the project directory, the Agent file tools can read and write those external files.
This can lead to leakage of sensitive data such as SSH private keys, cloud credentials, Git credentials, shell histories, and system files.
Attackers can craft repositories with such symlinks, and when victims clone and open these projects, their sensitive data can be exposed.
The leaked data can be exploited via prompt injection attacks to exfiltrate secrets, compromising confidentiality and integrity of your system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying projects that contain symbolic links pointing to files outside the project directory, which the Zed Agent file tools might access.'}, {'type': 'paragraph', 'content': 'A practical approach is to scan your project directories for symlinks that point outside their root directories. For example, you can use the following command in a Unix-like system to find symlinks and check their targets:'}, {'type': 'list_item', 'content': 'find /path/to/project -type l -exec ls -l {} +'}, {'type': 'paragraph', 'content': 'This command lists all symbolic links in the project and their targets. You should verify if any of these targets point outside the project directory.'}, {'type': 'paragraph', 'content': 'Additionally, you can use canonicalization commands to check if symlink targets escape the project boundary, for example:'}, {'type': 'list_item', 'content': 'readlink -f /path/to/symlink'}, {'type': 'paragraph', 'content': 'If the resolved path is outside the project directory, it indicates a potential symlink escape vulnerability.'}, {'type': 'paragraph', 'content': "Since the vulnerability involves the Zed Agent's `read_file` and `edit_file` tools, monitoring usage of these tools on projects with such symlinks can help detect exploitation attempts."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Zed to version 0.225.9 or later, where this vulnerability has been fixed.
If upgrading is not immediately possible, you should:
- Avoid opening projects that contain symbolic links pointing outside the project directory.
- Manually inspect and remove or replace any symlinks in your projects that point to external paths.
- Restrict usage of the Zed Agent file tools (`read_file`, `edit_file`) on untrusted projects or those with suspicious symlinks.
For developers or maintainers, applying the recommended code fixes to enforce the `is_external` flag check or canonicalize paths before file access is advised to prevent symlink escapes.