How is CVE-2026-44465 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host, or another delivery mechanism to place a malicious .git/config on the victim's filesystem; no over-the-network exposure to Zed is required. Authentication (not-required): No account or credential is needed to craft or deliver the malicious repository folder; the attack relies entirely on the victim opening the folder in the IDE. Victim interaction (required): The victim must open the poisoned folder in Zed IDE, making this a social-engineering vector where an attacker tricks a developer into opening a malicious or untrusted repository. Attack complexity (info): Attack complexity is low: the exploit is reliable and condition-free once the victim opens the folder, requiring no race conditions, memory-layout knowledge, or other environmental factors.

What is the impact of CVE-2026-44465?

Attacker executes arbitrary commands in the context of the Zed IDE process, gaining access to any files, credentials, or secrets the IDE user can read on the host. Source code, API keys, SSH keys, and other developer secrets stored in the working directory or accessible via the user's environment are exposed to exfiltration. The attacker can modify files on the host, including source code, build scripts, and configuration files, enabling supply-chain tampering from a compromised developer workstation. The Zed process and any spawned subprocesses can be crashed or abused to disrupt the developer's local environment.

Back to search

HIGHCVE-2026-44465Published 2026-05-28Modified 2026-05-29CNA GitHub_M

CVE-2026-44465: Zed: Zed IDE Arbitrary Code Execution via untrusted repository with poisoned .git/config

Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution (RCE) when a victim open a folder in untrusted mode. This vulnerability is fixed in 0.227.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An arbitrary code execution vulnerability affects Zed IDE versions prior to 0.227.1. When a user opens a folder containing a malicious .git/config file that abuses the core.fsmonitor Git configuration option, Zed executes attacker-supplied commands without further prompting. Exploitation requires local file access to the victim's machine and a single user action (opening the folder), and successful exploitation gives the attacker full code execution in the context of the running IDE. Note: the description references a fix in 0.227.1, but no fix version has been formally published in the advisory record; HarborGuard is tracking the upstream advisory for confirmed patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images containing Zed IDE binaries, including custom-built images that bundle or layer the affected package. Any image pinned to a zed-industries/zed version below 0.227.1 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.6 HIGH (v3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and applies each customer organization's compliance policy weighting before routing the alert to the appropriate team inbox, ensuring developer-tooling images receive the correct escalation path.

Available

Patch

Because no fix version has been formally confirmed in the upstream advisory record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed upstream release is published. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host, or another delivery mechanism to place a malicious .git/config on the victim's filesystem; no over-the-network exposure to Zed is required.
AuthenticationNot required
No account or credential is needed to craft or deliver the malicious repository folder; the attack relies entirely on the victim opening the folder in the IDE.
Victim interactionRequired
The victim must open the poisoned folder in Zed IDE, making this a social-engineering vector where an attacker tricks a developer into opening a malicious or untrusted repository.
Attack complexityDetail
Attack complexity is low: the exploit is reliable and condition-free once the victim opens the folder, requiring no race conditions, memory-layout knowledge, or other environmental factors.

Blast Radius

Attacker executes arbitrary commands in the context of the Zed IDE process, gaining access to any files, credentials, or secrets the IDE user can read on the host.
Source code, API keys, SSH keys, and other developer secrets stored in the working directory or accessible via the user's environment are exposed to exfiltration.
The attacker can modify files on the host, including source code, build scripts, and configuration files, enabling supply-chain tampering from a compromised developer workstation.
The Zed process and any spawned subprocesses can be crashed or abused to disrupt the developer's local environment.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all customer environments scanning images that include Zed IDE. Because the upstream advisory has not yet formally published a confirmed fix version, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a verified upstream release is confirmed. In the interim, recommended compensating controls include restricting the use of Zed IDE to trusted repositories only, applying filesystem policies that prevent unexpected writes into .git directories on shared or CI-attached volumes, and using network-egress filtering on developer workstation images to limit the blast radius of any successful code execution. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR against affected workloads will be opened automatically once a fix version is published upstream.

See how HarborGuard automates this

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

zed-industries / zed
< 0.227.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

https://github.com/zed-industries/zed/security/advisories/GHSA-fj2r-rmw6-h222