CVE-2026-44461
Analyzed Analyzed - Analysis Complete
Command Injection in Zed Code Editor

Publication date: 2026-05-28

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-03
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-44461
EUVD
EUVD-2026-32936
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zed zed to 0.227.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Zed code editor versions prior to 0.227.1. Zed builds SSH/WSL remote commands as a shell command string starting with 'exec env ...', but it inserts environment variable keys without any shell quoting or validation.

If an attacker can control an environment variable key, for example through project terminal settings, shell expansions within the key (such as $(...)) are executed by the remote shell when a terminal is opened.

This behavior allows an attacker to execute arbitrary commands on the remote host under the victim user's account.

Impact Analysis

The vulnerability can lead to arbitrary command execution on the remote host with the privileges of the victim user.

This means an attacker could run malicious commands remotely, potentially leading to data theft, system compromise, or further attacks within the affected environment.

Because the attacker can execute commands remotely, the integrity, confidentiality, and availability of the affected system and its data can be severely impacted.

Mitigation Strategies

To mitigate this vulnerability, update Zed to version 0.227.1 or later, where the issue is fixed.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary commands on a remote host under the victim user's account, potentially leading to unauthorized data access, modification, or exfiltration.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Detection Guidance

This vulnerability can be detected by checking if your Zed editor version is prior to 0.227.1 and if any project terminal settings contain environment variable keys with shell expansions or suspicious characters.

Specifically, inspect the `.zed/settings.json` file in your project directories for environment variable keys that include shell command substitutions such as $(...) or other special shell characters.

You can use commands like the following to search for suspicious environment variable keys in your project settings:

  • grep -r --include=settings.json '".*\$\(.*\).*"' .
  • grep -r --include=settings.json '".*;.*"' .

Additionally, verify your Zed version by running the command to check the installed version and ensure it is 0.227.1 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart