How is CVE-2026-44466 exploited?

Network reachability (not-required): The attack vector is local; the attacker needs an existing shell or process on the host rather than network access to the service. Authentication (not-required): No credentials or account are required to exploit this vulnerability; the CVSS vector specifies PR:N. Victim interaction (required): A user must take an action (such as opening a crafted project or evaluating a crafted command in the terminal tool) for the payload to execute; the CVSS vector specifies UI:R. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-44466?

The attacker executes arbitrary commands outside the terminal tool's allowlist, bypassing the permission boundary entirely. Confidential files readable by the Zed process (source code, credentials, environment variables, SSH keys) are exposed. The attacker can modify or delete files and repository contents within the scope of the editor process. The running Zed process and any dependent services can be crashed or made unavailable.

Back to search

HIGHCVE-2026-44466Published 2026-05-28Modified 2026-05-29CNA GitHub_M

CVE-2026-44466: Zed: Allowlist Bypass via Bash Arithmetic Expansion in Terminal Tool Permissions

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication-bypass and privilege-escalation flaw exists in the terminal tool permission system of the Zed code editor (versions before 0.229.0). An attacker who can influence commands evaluated by Zed's terminal tool can embed arbitrary commands inside bash arithmetic expansion syntax ($((...))) nested within an allowlisted command such as echo, causing those commands to execute outside the intended permission boundary. Successful exploitation gives the attacker full read, write, and execution capability within the scope of the running editor process. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-44466 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Zed editor. Any image carrying a version of zed-industries/zed below 0.229.0 is flagged automatically during both registry scans and pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.6 HIGH and is capable of weighting that score against each customer environment's compliance policy to determine urgency and escalation path. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a resolved release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attack vector is local; the attacker needs an existing shell or process on the host rather than network access to the service.
AuthenticationNot required
No credentials or account are required to exploit this vulnerability; the CVSS vector specifies PR:N.
Victim interactionRequired
A user must take an action (such as opening a crafted project or evaluating a crafted command in the terminal tool) for the payload to execute; the CVSS vector specifies UI:R.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

The attacker executes arbitrary commands outside the terminal tool's allowlist, bypassing the permission boundary entirely.
Confidential files readable by the Zed process (source code, credentials, environment variables, SSH keys) are exposed.
The attacker can modify or delete files and repository contents within the scope of the editor process.
The running Zed process and any dependent services can be crashed or made unavailable.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-44466, HarborGuard continuously re-evaluates this advisory on every ingest cycle and will surface a patched-image rebuild the moment a resolved release is issued upstream. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will initiate automatically at that point, with no manual trigger required. In the interim, compensating controls worth considering include restricting the images that bundle Zed to development-only namespaces with tightened network policy, applying egress filtering to limit what processes spawned by the editor can reach, and auditing terminal tool allowlists to avoid patterns susceptible to bash arithmetic or command-substitution expansion. HarborGuard will continue to flag any image carrying zed-industries/zed below 0.229.0 on every scan cycle until a patched version is confirmed present.

See how HarborGuard automates this

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

zed-industries / zed
< 0.229.0

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

https://github.com/zed-industries/zed/security/advisories/GHSA-c99f-97vf-4h5h