VYPR
← All advisories
Medium severity6.4NVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-44462

CVE-2026-44462

Description

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Zed editor terminal allowlist bypass via bash variable expansion chaining (${var@P}) allows arbitrary command execution on Linux, fixed in 0.229.0.

Vulnerability

Zed versions prior to 0.229.0 contain a vulnerability in the terminal tool permission system. The allowlist validation uses a regex that matches only the initial command token and does not evaluate nested shell expansions. An attacker can exploit bash's ${var@P} operator for prompt-style expansion, chaining variable assignments to execute arbitrary commands under an allowlisted command prefix like echo [1]. This technique works on Linux; macOS returns a "bad substitution" error due to an older default bash version.

Exploitation

An attacker who can influence AI agent tool calls (e.g., by crafting a prompt) can exploit this bypass. The attack requires a configured allowlist entry such as "always_allow": [{ "pattern": "^echo\\b" }]. By requesting a command like echo ${one="$ "}${two="$one(curl google.com)"}${two@P}, the chain of variable expansions causes curl google.com to execute despite only echo being allowlisted [1]. The initial regex check passes on the literal echo, while the expanded payload runs outside the validation scope.

Impact

Successful exploitation allows arbitrary command execution on Linux systems, bypassing the terminal permission allowlist. An attacker achieves full command execution with the privileges of the Zed process, leading to potential information disclosure, data modification, or further system compromise. The vulnerability affects any Zed user on Linux relying on command allowlists for security [1].

Mitigation

The vulnerability is fixed in Zed version 0.229.0 [1]. Users should update to at least this version. No workaround is available; the only mitigation is upgrading. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. Allowlist Bypass via Bash Variable Expansion Chain in Terminal Tool Permissions

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Zed Industries/Zedinferred2 versions
    <0.229.0+ 1 more
    • (no CPE)range: <0.229.0
    • (no CPE)range: <0.229.0

Patches

1
7c07887d9555

v0.229.x stable

https://github.com/zed-industries/zedJoseph T. LyonsMar 25, 2026Fixed in 0.229.0via release-tag
commit
1 file changed · +1 1
  • crates/zed/RELEASE_CHANNEL+1 1 modified
    @@ -1 +1 @@
-preview
\ No newline at end of file
+stable
\ No newline at end of file

Vulnerability mechanics

Root cause

"Bash variable expansion chaining (${var@P}) bypasses Zed's regex-based allowlist validation, which only matches the initial command token and does not evaluate nested shell expansions."

Attack vector

An attacker who can influence AI agent tool calls (e.g., via a crafted prompt) on a Linux system can bypass the terminal permission allowlist. The attacker configures an allowlist entry such as `"pattern": "^echo\\b"` and then asks the AI agent to run a command like `echo ${one="$"}${two="$one(curl google.com)"}${two@P}` [ref_id=1]. The regex matches only the initial `echo` token, but bash's `${var@P}` operator performs prompt-style expansion on chained variable assignments, causing the embedded `curl` command to execute [ref_id=1]. This allows arbitrary command execution despite only `echo` being allowlisted.

Affected code

The advisory does not specify exact function or file names. The vulnerability exists in Zed's terminal tool permission system, specifically in the regex-based allowlist validation logic that matches only the initial command token [ref_id=1]. The patch is in commit 7c07887d9555953bca7fe78417602114092ef8c8 [patch_id=2961925].

What the fix does

The patch (commit 7c07887d9555953bca7fe78417602114092ef8c8) addresses the bypass by improving how Zed validates terminal tool commands against the allowlist [patch_id=2961925]. While the exact diff is not shown in the bundle, the advisory states the fix is included in version 0.229.0 [ref_id=1]. The remediation prevents bash variable expansion chaining from circumventing the regex-based allowlist by ensuring that nested shell expansions are evaluated or blocked before the allowlist check.

Preconditions

  • inputAttacker must be able to influence AI agent tool calls (e.g., via crafted prompt)
  • configTarget system must be Linux (macOS returns 'bad substitution' error due to older bash)
  • configZed must have an allowlist configured (e.g., 'always_allow' with a pattern like '^echo\\b')

Reproduction

1. Configure Zed with: `"always_allow": [{ "pattern": "^echo\\b" }]` [ref_id=1]. 2. Via the AI agent, ask to run: `echo ${one="$"}${two="$one(curl google.com)"}${two@P}` [ref_id=1]. 3. The `curl` command executes despite only `echo` being allowlisted, demonstrating the bypass [ref_id=1].

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.