Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Zed Code Editor Leaks Sensitive Project Files Outside Workspace
CVE-2026-27967
Summary
Versions of Zed before 0.225.9 may allow unauthorized access to sensitive files outside the project directory, potentially exposing user data. This happens when a project contains links to external paths. To fix, update to version 0.225.9 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| zed | zed | <= 0.225.9 | – |
Original title
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directo...
Original description
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue.
nvd CVSS3.1
7.1
Vulnerability type
CWE-59
Link Following
- https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235 Vendor Advisory Exploit Mitigation
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026