CVE-2026-44463

Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions

CVSS 8.6 HIGHEPSS 0.2%CWE-184 CWE-78

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.6EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

28 may 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Productos afectados

zed-industries · zed

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/zed-industries/zed/security/advisories/GHSA-c3g6-c3ff-69cg