CVE-2026-27800 Overview
CVE-2026-27800 is a Path Traversal (Zip Slip) vulnerability affecting Zed, a modern code editor. The vulnerability exists in the extension archive extraction functionality in versions prior to 0.224.4. The extract_zip() function in crates/util/src/archive.rs fails to validate ZIP entry filenames for path traversal sequences (e.g., ../), allowing a malicious extension to write files outside its designated sandbox directory by downloading and extracting a crafted ZIP archive.
Critical Impact
Attackers can craft malicious Zed extensions that escape sandbox restrictions and write arbitrary files to any location on the victim's file system, potentially leading to code execution or system compromise.
Affected Products
- Zed Code Editor versions prior to 0.224.4
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27800 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27800
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The flaw resides in the archive extraction logic that processes ZIP files during extension installation.
When Zed downloads and extracts extension archives, the extract_zip() function processes each entry's filename without adequately sanitizing path components. This oversight allows specially crafted ZIP archives to contain entries with relative path sequences that navigate outside the intended extraction directory.
The attack requires user interaction—specifically, the victim must install a malicious extension. However, once installed, the extension can silently write files to arbitrary locations on the filesystem, bypassing the sandbox protections designed to isolate extension data.
Root Cause
The root cause is insufficient input validation in the extract_zip() function located in crates/util/src/archive.rs. The function fails to:
- Canonicalize or normalize the file paths extracted from ZIP entries
- Verify that resolved paths remain within the designated extraction directory
- Reject or sanitize entries containing directory traversal sequences like ../ or absolute paths
This is a classic Zip Slip vulnerability pattern where archive entry names are trusted without verification, enabling attackers to control the final destination of extracted files.
Attack Vector
The attack is network-based and requires user interaction. An attacker would need to:
- Create a malicious Zed extension package containing a specially crafted ZIP archive
- Include ZIP entries with path traversal sequences in their filenames (e.g., ../../../.config/autostart/malicious.desktop)
- Distribute the malicious extension through social engineering, a compromised extension repository, or typosquatting
- When a user installs the extension, files are extracted to attacker-controlled locations outside the sandbox
The vulnerability allows files to be written with user-level permissions, which could enable persistent code execution through autostart mechanisms, configuration file manipulation, or overwriting existing application files.
For complete technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-27800
Indicators of Compromise
- Unexpected files appearing in directories outside of Zed's extension directories
- Files in user autostart or profile configuration directories that coincide with recent extension installations
- ZIP archives with suspicious entry names containing ../ sequences in Zed cache or temp directories
Detection Strategies
- Monitor file system activity during Zed extension installation for writes outside expected directories
- Implement file integrity monitoring on critical configuration directories like ~/.config/, ~/.bashrc, and autostart locations
- Audit recently installed Zed extensions and verify their authenticity against official sources
- Scan extension ZIP archives for entries containing path traversal sequences before extraction
Monitoring Recommendations
- Enable filesystem auditing for user home directories to detect anomalous file creation patterns
- Monitor Zed process activity for file writes outside standard application directories
- Implement endpoint detection rules that alert on path traversal patterns in archive operations
- Review extension installation logs and correlate with unexpected file system changes
How to Mitigate CVE-2026-27800
Immediate Actions Required
- Upgrade Zed to version 0.224.4 or later immediately
- Audit recently installed extensions for suspicious behavior or unknown origins
- Review filesystem for unexpected files that may have been written during previous extension installations
- Only install extensions from trusted and verified sources
Patch Information
The vulnerability has been fixed in Zed version 0.224.4. The patch addresses the path traversal issue by implementing proper validation of ZIP entry filenames during extraction. Users should update to this version or later to remediate the vulnerability.
For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Avoid installing Zed extensions from untrusted or unverified sources until the patch is applied
- Temporarily disable automatic extension updates if using a vulnerable version
- Use filesystem sandboxing tools (e.g., Flatpak, Firejail) to limit Zed's write access to sensitive directories
- Implement strict file permissions on critical configuration directories to prevent unauthorized modifications
# Verify Zed version to ensure patched version is installed
zed --version
# Expected output should show version 0.224.4 or higher
# Optionally restrict Zed's filesystem access using Firejail
firejail --whitelist=~/projects --whitelist=~/.config/zed zed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
