CVE-2026-44466
Description
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zed editor ≤0.229.0 allows command injection via bash arithmetic expansion inside allowlisted commands like echo, granting arbitrary execution.
Vulnerability
Zed's terminal tool permission system before version 0.229.0 uses regex patterns to allowlist commands (e.g., ^echo\b). The regex fails to block bash arithmetic expansion syntax $((...)), so a user-supplied command such as echo $(($(curl -s https://google.com | wc -l))) passes the allowlist check even though curl is not permitted [1].
Exploitation
An attacker who can influence AI agent tool calls (for example via prompt injection in repository files) can craft a command that embeds arbitrary commands inside $(($(...))). The attacker must have already obtained permission for an allowlisted command like echo (e.g., via the "always allow" setting) [1]. The shell executes the nested commands after the regex passes.
Impact
Successful exploitation yields arbitrary command execution on the user's machine at the privilege level of the Zed process, completely bypassing the intended permission system [1]. The attacker gains full control over the user's terminal environment.
Mitigation
The vulnerability is fixed in Zed version 0.229.0 [1]. Users should update to the latest release. No workaround is documented; users relying on allowlists should upgrade immediately.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<0.229.0+ 1 more
- (no CPE)range: <0.229.0
- (no CPE)range: <0.229.0
Patches
17c07887d9555v0.229.x stable
1 file changed · +1 −1
crates/zed/RELEASE_CHANNEL+1 −1 modified@@ -1 +1 @@ -preview \ No newline at end of file +stable \ No newline at end of file
Vulnerability mechanics
Root cause
"The regex-based allowlist validation does not account for bash arithmetic expansion syntax $((...)), allowing arbitrary commands nested inside an allowlisted command to bypass the permission check."
Attack vector
An attacker who can influence AI agent tool calls (e.g., via prompt injection in repository files) can achieve arbitrary command execution on the user's machine [ref_id=1]. The attacker crafts a command like `echo $(($(curl -s https://google.com | wc -l)))` which passes the regex allowlist check for `echo` but causes the shell to execute the nested `curl` command via bash arithmetic expansion [ref_id=1]. The attack requires the user to have configured an allowlist entry (e.g., `"always_allow": [{ "pattern": "^echo\\b" }]`) and to be tricked into running the crafted command [ref_id=1].
Affected code
The vulnerability resides in Zed's terminal tool permission system, specifically in the regex-based allowlist validation that checks commands like `echo` against a pattern such as `^echo\b` [ref_id=1]. The regex does not account for bash arithmetic expansion syntax `$((...))`, allowing nested commands to bypass the allowlist [ref_id=1].
What the fix does
The patch in commit 7c07887d9555953bca7fe78417602114092ef8c8 (v0.229.0) fixes the allowlist bypass by improving the command validation to account for bash arithmetic expansion syntax [patch_id=2961922][ref_id=1]. The advisory states the fix is included in v0.229.0 but does not detail the exact code change [ref_id=1]. Users should update to v0.229.0 or later to close the bypass [ref_id=1].
Preconditions
- configUser must have configured an allowlist entry (e.g., 'always_allow' with a pattern like '^echo\b')
- inputAttacker must be able to influence AI agent tool calls, e.g., via prompt injection in repository files
- authUser must be tricked into running the crafted command (local user interaction required per CVSS)
Reproduction
1. Configure Zed with `"always_allow": [{ "pattern": "^echo\\b" }]`. 2. Via the AI agent, ask to run a command like `echo $(($(curl -s https://google.com | wc -l)))`. 3. The `curl` command executes despite only `echo` being allowlisted [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.