CVE-2026-27800 – Zed code editor versions before 0.224.4 contain... (How to Fix)

📋 TL;DR

Zed code editor versions before 0.224.4 contain a Zip Slip vulnerability in the extension archive extraction functionality. This allows malicious extensions to write files outside their designated sandbox directory by using path traversal sequences in ZIP entry filenames. All users running vulnerable versions of Zed are affected.

💻 Affected Systems

Products:

Zed code editor

Versions: All versions prior to 0.224.4

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the extension archive extraction functionality when installing or updating extensions.

📦 What is this software?

Zed by Zed

View all CVEs affecting Zed →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious extension could overwrite critical system files, install persistent malware, or gain arbitrary code execution on the user's system.

🟠

Likely Case

Malicious extensions could write files to sensitive locations, potentially leading to data theft, privilege escalation, or system compromise.

🟢

If Mitigated

With proper extension vetting and sandboxing, the impact is limited to the extension's permissions and isolated environment.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to install a malicious extension, but the vulnerability itself is straightforward to exploit once an extension is installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.224.4

Vendor Advisory: https://github.com/zed-industries/zed/security/advisories/GHSA-v385-xh3h-rrfr

Restart Required: Yes

Instructions:

1. Open Zed editor
2. Go to Settings > About
3. Check if version is 0.224.4 or later
4. If not, update through your package manager or download from official website
5. Restart Zed after update

🔧 Temporary Workarounds

Disable extension installation

all

Prevent installation of new extensions to avoid potential malicious archives

Use only trusted extensions

all

Only install extensions from verified, trusted sources

🧯 If You Can't Patch

Audit all installed extensions and remove any from untrusted sources
Run Zed with minimal privileges and in a sandboxed environment

🔍 How to Verify

Check if Vulnerable:

Check Zed version in Settings > About. If version is earlier than 0.224.4, you are vulnerable.

Check Version:

zed --version

Verify Fix Applied:

After updating, verify version is 0.224.4 or later in Settings > About.

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes outside extension directories
Extension installation failures with path traversal errors

Network Indicators:

Downloads of extension archives from untrusted sources

SIEM Query:

Process execution where command_line contains 'zed' AND file_write where path contains '../'

📊 Metadata

CVE ID: CVE-2026-27800

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CWE: CWE-22

Published: February 26, 2026

Last Updated: March 4, 2026

🔗 References

https://github.com/zed-industries/zed/security/advisories/GHSA-v385-xh3h-rrfr Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27800, you might also want to check these: