CVE-2026-44463 zed-industries CVE debrief

Who should care

Organizations and individual developers using Zed code editor versions prior to 0.229.0, particularly those leveraging terminal tool functionality with custom allowlists or in multi-user environments where privilege boundaries must be enforced.

Technical summary

The Zed code editor's terminal tool implements a permission system designed to restrict command execution. Prior to version 0.229.0, this system fails to properly validate or sanitize environment variable assignments prepended to allowlisted commands. An attacker can inject environment variables such as PAGER to hijack program behavior and execute arbitrary code. The vulnerability requires local access and user interaction but achieves high impact across confidentiality, integrity, and availability due to changed scope. The attack complexity is low, indicating reliable exploitation. The fix in version 0.229.0 addresses the input validation gap.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Zed to version 0.229.0 or later to remediate this vulnerability
• Review terminal tool configurations for unauthorized environment variable modifications
• Audit allowlisted command configurations for potential injection vectors
• Monitor for anomalous terminal tool behavior indicating potential exploitation attempts

Evidence notes

Vulnerability description and fix version confirmed via official GitHub Security Advisory. CVSS vector and CWE classifications sourced from NVD record. No known exploitation in the wild or ransomware campaign use documented.

Official resources