CVE-2026-44462
Zed Code Editor Command Injection via Bash Variable Expansion
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zed | zed | to 0.229.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44462 is a security vulnerability in Zed's terminal tool permission system that allows an attacker to bypass allowlist restrictions using bash variable expansion chaining, specifically the `${var@P}` operator.
The vulnerability occurs because Zed's regex-based validation only checks the initial command token and does not account for nested shell expansions, enabling arbitrary command execution even when only specific commands are allowlisted.
This means an attacker can craft commands with variable assignments that expand to execute unintended commands, such as making network requests, despite restrictions.
The issue affects Linux systems and was fixed in Zed version 0.229.0.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary commands on your system through Zed's terminal tool, bypassing intended command restrictions.
The impact includes potential unauthorized access to sensitive data (high confidentiality impact), limited ability to alter data (low integrity impact), and minor disruption to availability (low availability impact).
Because the attack can be performed remotely over a network and requires user interaction, it poses a moderate security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves bypassing Zed's terminal tool permission system via bash variable expansion chaining (${var@P}). Detection involves monitoring for suspicious command patterns that use bash variable expansions to execute arbitrary commands despite allowlist restrictions.
You can look for commands that include variable expansions with the @P operator, such as patterns like `${var@P}` in shell command logs or audit trails.
Example commands to detect potential exploitation attempts might include searching shell history or logs for usage of '${' and '@P' together:
- grep -r '\${.*@P}' ~/.bash_history /var/log/*
- auditctl rules to monitor execution of Zed terminal commands and inspect for unusual variable expansions.
Since the vulnerability exploits allowlisted commands by chaining expansions, monitoring for unexpected network requests (e.g., curl commands) initiated from Zed's terminal tool may also help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Zed to version 0.229.0 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, consider restricting user access to the Zed terminal tool or disabling it to prevent exploitation.
Additionally, review and tighten allowlist rules to avoid relying solely on regex that only checks the initial command token, as this can be bypassed via nested shell expansions.
Monitor for suspicious command executions involving bash variable expansions and network activity originating from Zed to detect potential exploitation attempts.