CVE-2026-44465 zed-industries CVE debrief

Who should care

Development teams and individual developers using Zed IDE; security teams managing software development environments; organizations with bring-your-own-device or contractor development workflows; anyone opening external or untrusted repositories in Zed IDE

Technical summary

The Zed IDE improperly handles the core.fsmonitor Git configuration option when opening folders. A malicious .git/config file can specify an arbitrary executable as the fsmonitor hook, which Zed executes without adequate validation. This occurs in untrusted mode folder opening, allowing attackers to achieve Remote Code Execution. The vulnerability is classified as CWE-78 (OS Command Injection) with a CVSS 3.1 score of 8.6 (HIGH severity). The attack vector is local (AV:L) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C) with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Zed IDE to version 0.227.1 or later to remediate this vulnerability
• Exercise caution when opening untrusted folders or repositories in Zed IDE, particularly those with unfamiliar .git/config files
• Consider reviewing Git configuration files in external repositories before opening them in any IDE
• Enable untrusted mode awareness training for development teams using Zed IDE
• Audit systems for Zed IDE versions prior to 0.227.1 and prioritize patching on workstations that handle external or untrusted codebases

Evidence notes

Official GitHub Security Advisory GHSA-fj2r-rmw6-h222 confirms the vulnerability and fix version. NVD record published 2026-05-28 with CVSS 3.1 score 8.6 (HIGH).

Official resources