CVE-2026-44462 zed-industries CVE debrief

Who should care

Organizations and developers using Zed's AI-assisted terminal tool feature with custom allowlist configurations; security teams evaluating supply chain risks in development tools; Zed users in multi-tenant or untrusted workspace environments

Technical summary

The Zed code editor's terminal tool feature implements a permission system based on command prefix allowlisting. Prior to version 0.229.0, this mechanism fails to account for Bash parameter expansion operators, specifically the `${parameter@P}` expansion which expands the parameter as if it were a prompt string. An attacker can chain this expansion to inject arbitrary commands despite the allowlist restriction. For example, if `/usr/bin/git` is allowlisted, an attacker could craft input that uses variable expansion to execute unintended commands. The vulnerability requires user interaction (accepting a terminal tool suggestion) and high attack complexity due to the need for specific configuration and social engineering. The fix in 0.229.0 addresses the parsing logic to properly handle or reject dangerous expansion patterns in terminal tool arguments.

Defensive priority

medium

Recommended defensive actions

• Upgrade Zed to version 0.229.0 or later to remediate the terminal tool permission bypass vulnerability
• Review terminal tool configurations for allowlisted command prefixes that may be susceptible to parameter expansion attacks
• Audit terminal tool usage logs for suspicious `${var@P}` or similar bash expansion patterns
• Implement additional input validation for terminal tool arguments beyond prefix matching
• Consider disabling terminal tool functionality for untrusted workspaces until patching is complete

Evidence notes

Vulnerability description sourced from NVD record and GitHub Security Advisory GHSA-rqq3-p6x4-q866. CWE-184 (Incomplete List of Disallowed Inputs) identified as primary weakness. Fix version 0.229.0 confirmed in advisory.

Official resources