CVE-2026-27800 is a path traversal vulnerability categorized under CWE-22 affecting the Zed code editor prior to version 0.224.4. The vulnerability arises from improper validation of ZIP archive entry filenames in the extract_zip() function located in crates/util/src/archive.rs. Specifically, the function does not sanitize or restrict path traversal sequences such as '../' within ZIP entries. This flaw enables a malicious extension archive to escape the designated sandbox directory during extraction, allowing arbitrary files to be written anywhere on the filesystem where the user has write permissions. Such unauthorized file writes can lead to integrity violations, including overwriting critical files or planting malicious payloads. The vulnerability is remotely exploitable without requiring privileges or authentication but does require user interaction to install or extract the malicious extension. The CVSS v3.1 base score is 7.4 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and scope change due to impacting resources beyond the sandbox. No known exploits have been reported in the wild as of the publication date, but the risk remains significant due to the potential for arbitrary file writes. The issue is resolved in Zed version 0.224.4 by implementing proper filename validation and path sanitization during ZIP extraction.

The primary impact of this vulnerability is the compromise of file integrity on systems running vulnerable versions of Zed. Attackers can leverage crafted extension archives to write arbitrary files outside the sandbox, potentially overwriting critical configuration files, injecting malicious scripts, or planting backdoors. This can lead to persistent compromise, privilege escalation if sensitive files are overwritten, or disruption of development workflows. Although confidentiality and availability impacts are limited, the integrity breach can facilitate further attacks or malware persistence. Organizations relying on Zed for development or code editing are at risk, especially if extensions are sourced from untrusted providers. The requirement for user interaction (installing or extracting an extension) somewhat limits exploitation but does not eliminate risk, particularly in environments where users frequently add third-party extensions. The vulnerability could also be leveraged in targeted attacks against developers or CI/CD pipelines using Zed, potentially impacting software supply chain security.

To mitigate this vulnerability, organizations should immediately upgrade Zed to version 0.224.4 or later, where the issue is fixed. Until upgrading, users should avoid installing or extracting extensions from untrusted or unknown sources. Implement strict policies to restrict extension installation to verified repositories or signed packages. Employ endpoint security solutions that monitor and block unauthorized file writes outside expected directories. Developers and security teams should audit existing extensions for suspicious archive contents and consider sandboxing or containerizing development environments to limit filesystem exposure. Additionally, monitoring file system changes in directories related to Zed can help detect exploitation attempts. Educate users about the risks of installing untrusted extensions and enforce least privilege principles to minimize the impact of potential exploitation.