CVE-2026-44466: Zed Code Editor Terminal Permission Bypass via Bash Arithmetic Expansion
Zed is a popular code editor that includes a built-in terminal tool with a permission system designed to control which commands users can execute. Researchers discovered that this permission system has a critical flaw: attackers can bypass it using bash arithmetic expansion syntax—specifically the $((...)) construct—to nest arbitrary commands inside allowlisted commands like echo. This means a user could trick Zed into running malicious code even though the underlying command appeared safe. The vulnerability affects all versions of Zed prior to 0.229.0 and has been patched in that release.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.6 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-44466 exploits a command injection vulnerability in Zed's terminal tool permission enforcement mechanism. The vulnerability stems from insufficient input sanitization when parsing and executing terminal commands. Attackers can leverage bash arithmetic expansion—a feature that allows embedding command substitution within $((...)) syntax—to circumvent the allowlist validation that should restrict command execution. When a user attempts to run an allowlisted command such as echo, an attacker-controlled variant containing nested command substitution can be injected, causing Zed to execute arbitrary shell commands with the privileges of the user running the editor. The root cause is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a well-known command injection category. The vulnerability requires local access and user interaction (clicking or confirming execution), but once triggered, it grants full command execution capability within the terminal context.
Business impact
This vulnerability poses a significant risk to development teams and individual developers using Zed, particularly in collaborative environments or when opening untrusted project files. An attacker could embed malicious terminal commands in a project configuration or script that, when executed through Zed's terminal, would run arbitrary code on the developer's machine. The consequences include theft of credentials stored in the developer environment, installation of malware or persistence mechanisms, lateral movement to other systems on the network, and exfiltration of proprietary source code or intellectual property. Organizations using Zed across their engineering teams should treat this as a priority upgrade, as the attack surface is broad—any developer who opens a compromised project could be affected.
Affected systems
All versions of Zed prior to 0.229.0 are vulnerable. The vulnerability is present across all platforms where Zed runs, including macOS, Linux, and Windows. Any organization or individual using Zed as their primary code editor should inventory their deployments and verify they are running 0.229.0 or later. The vulnerability does not affect other code editors or terminal applications; it is specific to Zed's terminal tool permission implementation.
Exploitability
The vulnerability is moderately exploitable in practice. Exploitation requires local access to a system running Zed and requires user interaction—the attacker must convince or trick a user into executing a command through Zed's terminal interface. The attack vector is local, not remote, meaning an attacker cannot exploit this directly over a network. However, the barrier to exploitation is relatively low: an attacker can craft a malicious project file, script, or configuration that includes the bash arithmetic expansion payload, and social engineering or supply chain compromise could increase the likelihood of a user opening and executing it. Once triggered, the impact is severe—full command execution with user privileges.
Remediation
The definitive fix is to upgrade Zed to version 0.229.0 or later. Users should prioritize this update immediately given the HIGH severity rating and the ease with which the vulnerability can be exploited in a development environment. There is no known workaround for older versions other than avoiding execution of untrusted commands in Zed's terminal or disabling the terminal tool entirely, but these are impractical for active developers. Organizations should establish a clear patching timeline and communicate the importance of this update to all Zed users.
Patch guidance
Verify your current Zed version by opening the application and checking Help > About or the settings panel. Download and install Zed 0.229.0 or any subsequent release from the official Zed website or through your package manager if you installed Zed via Homebrew, apt, or similar. On macOS, use `brew upgrade zed` if installed via Homebrew; on Linux, use your distribution's package manager. After upgrading, verify the new version is running and consider restarting any open projects to ensure the updated permission system is in effect. If you manage Zed deployments across a team, consider automated deployment mechanisms or internal update notifications to accelerate patching.
Detection guidance
Monitor for Zed instances still running versions prior to 0.229.0 by checking version strings in running processes or interrogating package management systems. Review terminal command history in Zed projects for suspicious bash arithmetic expansion syntax—specifically commands containing $((...)) patterns—that appear in terminal logs or configuration files. If your organization has endpoint detection and response (EDR) tools in place, look for unusual child processes spawned by Zed that deviate from expected behavior. Additionally, audit access to sensitive credentials or configuration files from processes spawned by Zed, as this may indicate post-exploitation activity. Network monitoring for data exfiltration from development machines could also surface successful exploitation attempts.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.6), the practical exploitability for attackers with basic social engineering skills, and the severe impact on developer workstations. Development environments are often high-value targets because they contain source code, deployment credentials, and keys. The requirement for user interaction is a mitigating factor, but the low technical barrier to crafting a payload and the prevalence of Zed in modern development workflows make this a credible threat. Any organization using Zed should treat this as a priority-1 patch.
Risk score, explained
The CVSS 3.1 score of 8.6 (HIGH) reflects the confluence of several risk factors: the vulnerability allows complete command execution with no privilege escalation needed (CWE-78 command injection), it affects the integrity and confidentiality of the system, the attack vector is local but easily triggered through social engineering, and the scope is changed (processes spawned can affect other systems). The score is not CRITICAL (9.0+) rather than HIGH because exploitation requires user interaction and local access, not remote unauthenticated access. However, the practical risk in a development environment where users routinely open project files and execute commands is substantial.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local access to a system running Zed and user interaction to trigger it. An attacker cannot exploit this over a network. However, an attacker could use supply chain compromise (e.g., injecting the payload into a public repository) or social engineering to increase the likelihood that a user executes a malicious command.
Does disabling Zed's terminal tool prevent exploitation?
Yes, disabling or not using Zed's terminal feature eliminates the attack surface for this specific vulnerability. However, this is impractical for developers who rely on the terminal for workflow efficiency. The recommended action is to upgrade to 0.229.0 rather than disable core functionality.
What happens if a developer opens a malicious project file in Zed 0.229.0 or later?
The patched version implements corrected command parsing and sanitization that prevents bash arithmetic expansion from bypassing the allowlist. Malicious commands using the $((...)) technique will either be blocked or executed in a sandboxed context that prevents privilege escalation or lateral movement. Users should still exercise caution when opening untrusted project files, but the vulnerability itself is no longer exploitable.
Are other code editors affected by this same vulnerability?
This vulnerability is specific to Zed's terminal tool permission system and does not affect VSCode, JetBrains IDEs, Sublime Text, or other major editors. Each editor has its own terminal implementation and permission model. However, developers should always keep all development tools updated to patch known vulnerabilities.
This analysis is based on the CVE record and publicly available information as of the publication date. Security landscapes and threat intelligence evolve; organizations should consult the official Zed security advisories and their own threat intelligence feeds for the latest developments. The CVSS score and severity rating are provided for reference; your organization's risk tolerance and asset criticality may warrant different prioritization. This document does not constitute legal advice or a guarantee of protection. SEC.co and its analysts make no warranty regarding the completeness or accuracy of this analysis beyond the ground-truth source data. Organizations should conduct their own security assessments and testing in controlled environments before deploying patches to production. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-44461HIGHZed Remote Code Execution via SSH/WSL Environment Variable Injection
- CVE-2026-44463HIGHZed Code Editor Terminal Permission Bypass (CVSS 8.6)
- CVE-2026-44465HIGHZed IDE Remote Code Execution via Malicious .git/config
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection