{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27967", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.793Z", "datePublished": "2026-02-25T23:33:21.477Z", "dateUpdated": "2026-02-28T04:55:28.156Z"}, "containers": {"cna": {"title": "Symlink Escape in Agent File Tools", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235"}], "affected": [{"vendor": "zed-industries", "product": "zed", "versions": [{"version": "< 0.225.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T23:33:21.477Z"}, "descriptions": [{"lang": "en", "value": "Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue."}], "source": {"advisory": "GHSA-786m-x2vc-5235", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-27967"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T04:55:28.156Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27967", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-27T14:16:57.355198Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T17:05:23.146Z"}}], "cna": {"title": "Symlink Escape in Agent File Tools", "source": {"advisory": "GHSA-786m-x2vc-5235", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zed-industries", "product": "zed", "versions": [{"status": "affected", "version": "< 0.225.9"}]}], "references": [{"url": "https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235", "name": "https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T23:33:21.477Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27967", "state": "PUBLISHED", "dateUpdated": "2026-02-28T04:55:28.156Z", "dateReserved": "2026-02-25T03:24:57.793Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T23:33:21.477Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zed:zed:*:*:*:*:*:*:*:*", "matchCriteriaId": "F2B65125-64EB-4054-BE09-6EFDEE894188", "versionEndExcluding": "0.225.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue."}, {"lang": "es", "value": "Zed, un editor de c\u00f3digo, tiene una vulnerabilidad de escape de symlink en versiones anteriores a la 0.225.9 en las herramientas de archivo del Agente ('read_file', 'edit_file'). Permite leer y escribir archivos fuera del directorio del proyecto cuando un proyecto contiene enlaces simb\u00f3licos que apuntan a rutas externas. Esto elude el l\u00edmite de espacio de trabajo previsto y las protecciones de privacidad ('file_scan_exclusions', 'private_files'), lo que podr\u00eda filtrar datos sensibles del usuario al LLM. La versi\u00f3n 0.225.9 soluciona el problema."}], "id": "CVE-2026-27967", "lastModified": "2026-03-05T16:10:10.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T00:16:27.137", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit", "Mitigation"], "url": "https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.225.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zed", "source": "cna", "vendor": "zed-industries"}, "product": "zed", "vendor": "zed-industries"}], "analysis": {"en": {"generated_at": "2026-04-17T14:42:38.599564+00:00", "value": {"mitigation_remediation": ["Upgrade to Zed version 0.225.9 or later, which contains the fix for the symlink handling in the agent file tools", "Configure the editor or project settings to disallow symbolic links pointing outside the workspace or to explicitly whitelist allowed paths", "Before reading or writing files, add a validation step to confirm that the resolved file path remains within the project directory, and reject any operations that resolve to an external path"], "summary": {"action": "Update immediately", "impact": "Remote file read/write outside project directory"}, "threat_synthesis": {"affected_systems": "Affected by Zed Industries\u2019 Zed code editor. Versions prior to 0.225.9 of the agent file tools are vulnerable. The flaw exists in the read_file and edit_file operations when used inside a project that contains symbolic links to paths outside the workspace.", "description_and_impact": "This vulnerability allows an attacker to read and write arbitrary files outside the intended project workspace when the project contains symbolic links that point to locations outside the project directory. The flaw lies in the Agent file tools, specifically the read_file and edit_file functions, and is caused by insufficient validation of file paths, which is identified as CWE\u201159. The impact includes disclosure of sensitive data to the integrated language model and accidental modification of critical system files, leading to potential data exfiltration and integrity compromise.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity. The EPSS score is less than 1\u202f%, suggesting a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack can be carried out by supplying a malicious project containing symlinks that point to external files; no network exploitation or elevated privileges are required, so the attack vector is local through the editor\u2019s processing of a symlinked project."}}}}, "created": "2026-02-26T13:10:35.230608+00:00", "updated": "2026-04-17T14:45:21.039471+00:00", "vendors": ["zed-industries", "zed-industries$PRODUCT$zed"]}