CVE-2026-27967
Received Received - Intake
Symlink Escape in Zed Agent Files Allows Unauthorized File Access

Publication date: 2026-02-26

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27967
EUVD
EUVD-2026-8777
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zed zed to 0.225.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27967 is a high-severity symlink escape vulnerability in the Zed code editor's Agent file tools, specifically in the `read_file` and `edit_file` functions, affecting versions prior to 0.225.9."}, {'type': 'paragraph', 'content': 'The vulnerability allows an attacker to read and write files outside the intended project directory by exploiting symbolic links within a project that point to external file system locations.'}, {'type': 'paragraph', 'content': 'This bypasses workspace boundary protections and privacy controls such as `file_scan_exclusions` and `private_files`, potentially exposing sensitive user data to the language model (LLM).'}, {'type': 'paragraph', 'content': 'The root cause is that the tools validate file paths using worktree-relative paths and exclusion patterns but do not resolve symbolic links to verify if the target file resides within the project directory. Path resolution concatenates paths without canonicalization or symlink resolution, allowing symlinks to escape the project boundary.'}, {'type': 'paragraph', 'content': 'Although the system tracks external symlinks and blocks path traversal attempts like `../`, it fails to enforce the critical check that prevents access to files outside the project, enabling this escape.'}] [1]

Impact Analysis

If you open a project in Zed that contains malicious symbolic links pointing to sensitive files outside the project directory, the Agent file tools can read and write those external files.

This can lead to leakage of sensitive data such as SSH private keys, cloud credentials, Git credentials, shell histories, and system files.

Attackers can craft repositories with such symlinks, and when victims clone and open these projects, their sensitive data can be exposed.

The leaked data can be exploited via prompt injection attacks to exfiltrate secrets, compromising confidentiality and integrity of your system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying projects that contain symbolic links pointing to files outside the project directory, which the Zed Agent file tools might access.'}, {'type': 'paragraph', 'content': 'A practical approach is to scan your project directories for symlinks that point outside their root directories. For example, you can use the following command in a Unix-like system to find symlinks and check their targets:'}, {'type': 'list_item', 'content': 'find /path/to/project -type l -exec ls -l {} +'}, {'type': 'paragraph', 'content': 'This command lists all symbolic links in the project and their targets. You should verify if any of these targets point outside the project directory.'}, {'type': 'paragraph', 'content': 'Additionally, you can use canonicalization commands to check if symlink targets escape the project boundary, for example:'}, {'type': 'list_item', 'content': 'readlink -f /path/to/symlink'}, {'type': 'paragraph', 'content': 'If the resolved path is outside the project directory, it indicates a potential symlink escape vulnerability.'}, {'type': 'paragraph', 'content': "Since the vulnerability involves the Zed Agent's `read_file` and `edit_file` tools, monitoring usage of these tools on projects with such symlinks can help detect exploitation attempts."}] [1]

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Zed to version 0.225.9 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, you should:

  • Avoid opening projects that contain symbolic links pointing outside the project directory.
  • Manually inspect and remove or replace any symlinks in your projects that point to external paths.
  • Restrict usage of the Zed Agent file tools (`read_file`, `edit_file`) on untrusted projects or those with suspicious symlinks.

For developers or maintainers, applying the recommended code fixes to enforce the `is_external` flag check or canonicalize paths before file access is advised to prevent symlink escapes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart