CVE-2026-27967 Overview
CVE-2026-27967 is a symlink escape vulnerability affecting the Zed code editor in versions prior to 0.225.9. The vulnerability exists in the Agent file tools (read_file, edit_file) and allows attackers to read and write files outside the project directory when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (file_scan_exclusions, private_files), potentially leaking sensitive user data to the LLM.
Critical Impact
Attackers can leverage symbolic links within a project to escape workspace boundaries and access sensitive files outside the intended project directory, bypassing privacy protections and potentially exposing confidential data to the integrated LLM.
Affected Products
- Zed code editor versions prior to 0.225.9
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27967 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27967
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The Zed code editor's Agent file tools fail to properly validate symbolic links before performing file operations, allowing path traversal outside the designated project workspace.
When the Agent's read_file or edit_file functions process a file path that includes or traverses through a symbolic link, the application follows the symlink without verifying that the resolved path remains within the project boundary. This design flaw enables an attacker who can place or influence symbolic links within a project directory to access arbitrary files on the system that the user has read/write permissions for.
The vulnerability is particularly concerning because it bypasses the editor's built-in privacy protections, including file_scan_exclusions and private_files configurations. Files marked as private or excluded from scanning can still be accessed if a symlink pointing to them exists within the project.
Root Cause
The root cause is improper link resolution before file access in the Agent file tools. The read_file and edit_file functions do not implement proper symlink canonicalization and path validation to ensure that resolved file paths remain within the project directory boundaries. The application trusts the symbolic link target without verification, allowing workspace boundary bypass.
Attack Vector
The attack requires local access and user interaction. An attacker would need to:
- Create or modify a project that the victim opens in Zed
- Include symbolic links within the project directory that point to sensitive files outside the workspace (e.g., ~/.ssh/id_rsa, ~/.aws/credentials, or application configuration files)
- When the victim uses Agent file tools on paths that traverse through these symlinks, the sensitive external files are read or modified
- Data from these files may be exposed to the integrated LLM, leading to information disclosure
The vulnerability is particularly dangerous in shared project environments or when opening untrusted project repositories containing malicious symlinks.
Detection Methods for CVE-2026-27967
Indicators of Compromise
- Presence of unusual symbolic links in project directories pointing to sensitive system paths
- Unexpected file access patterns from the Zed editor process to files outside project boundaries
- LLM agent interactions referencing content from files outside the workspace
- Symbolic links pointing to home directory configuration files (.ssh, .aws, .gnupg, etc.)
Detection Strategies
- Monitor file system access from Zed processes for paths outside project directories
- Implement file integrity monitoring on sensitive configuration files
- Use endpoint detection to identify symlink creation in project directories pointing to sensitive paths
- Review project directories for suspicious symbolic links before opening in Zed
Monitoring Recommendations
- Configure SentinelOne to alert on symlink creation patterns targeting sensitive directories
- Enable detailed file access logging for the Zed editor process
- Monitor for unusual data exfiltration patterns that may indicate LLM exposure of sensitive data
- Audit project repositories for malicious symlinks before use
How to Mitigate CVE-2026-27967
Immediate Actions Required
- Upgrade Zed code editor to version 0.225.9 or later immediately
- Audit existing projects for suspicious symbolic links pointing outside project boundaries
- Review and remove any untrusted symbolic links from project directories
- Consider temporarily avoiding Agent file tools on projects with symbolic links until patched
Patch Information
The vulnerability is fixed in Zed version 0.225.9. Users should update to this version or later to address the symlink escape vulnerability. For detailed information, refer to the GitHub Security Advisory.
Workarounds
- Manually review and remove symbolic links from project directories before using Agent file tools
- Avoid opening untrusted projects that may contain malicious symlinks
- Use operating system-level restrictions to prevent Zed from accessing sensitive directories
- Consider running Zed in a sandboxed environment with limited file system access until the patch is applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
