PatchSiren cyber security CVE debrief
CVE-2026-44461 zed-industries CVE debrief
Zed code editor versions prior to 0.227.1 contain a command injection vulnerability in SSH/WSL remote terminal initialization. The editor constructs remote shell commands using environment variable keys without proper shell quoting or validation. An attacker who can influence environment variable names—such as through project-specific terminal settings—can embed shell expansion syntax (e.g., command substitution) that executes when a remote terminal opens. This results in arbitrary command execution on the remote host with the victim user's privileges. The vulnerability affects local attack vectors with user interaction required, but carries high impact across confidentiality, integrity, and availability due to the SSH/WSL remote context. The issue was resolved in Zed 0.227.1.
- Vendor
- zed-industries
- Product
- zed
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations and developers using Zed for remote development via SSH or WSL, particularly those working with shared or untrusted project repositories that may contain malicious terminal configurations. Security teams managing IDE deployments and remote development environments should prioritize this patch.
Technical summary
The vulnerability exists in Zed's construction of SSH/WSL remote shell commands. The editor builds command strings starting with 'exec env ...' but inserts environment variable keys without shell quoting or validation. This allows shell expansion characters in variable names to be interpreted by the remote shell. Attackers controlling environment variable keys through project terminal settings can achieve arbitrary command execution on remote hosts when victims open terminals. The attack requires local access and user interaction but yields high impact in remote development scenarios.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Zed to version 0.227.1 or later to eliminate the command injection vulnerability in remote terminal initialization.
- Audit project-specific terminal settings and environment variable configurations for untrusted or unusual variable names, particularly those containing shell metacharacters or substitution syntax.
- Restrict write access to project configuration files that define terminal environment variables to prevent attacker-controlled injection.
- Review remote host access logs for anomalous command execution patterns that may indicate exploitation attempts prior to patching.
- Consider implementing additional input validation layers for environment variable keys in custom Zed extensions or forks if immediate upgrade is not feasible.
Evidence notes
Vulnerability confirmed via GitHub Security Advisory GHSA-63qj-jc2q-7hg5. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. CWE-78 (OS Command Injection) identified. Fix version 0.227.1 explicitly stated in advisory.
Official resources
-
CVE-2026-44461 CVE record
CVE.org
-
CVE-2026-44461 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28T17:16:28.853Z