CVE-2026-27967 is a vulnerability classified under CWE-59 (Improper Link Resolution Before File Access) affecting the zed code editor developed by zed-industries. The vulnerability arises from improper handling of symbolic links within the Agent file tools, specifically the `read_file` and `edit_file` functions. When a project directory contains symbolic links that point to files or directories outside the project workspace, zed incorrectly follows these links, allowing file operations beyond the intended sandbox boundary. This behavior bypasses security mechanisms designed to restrict file access such as `file_scan_exclusions` and `private_files`, which are meant to protect sensitive files from being accessed or leaked. As a result, an attacker or malicious user with local access and the ability to create or manipulate project files can cause zed to read or write arbitrary files on the host system, potentially exposing sensitive data to the integrated large language model (LLM) or corrupting files. The vulnerability requires user interaction (e.g., opening or editing a project containing malicious symlinks) but does not require elevated privileges. The CVSS v3.1 score is 7.1 (high severity), reflecting high confidentiality and integrity impact, low attack complexity, no privileges required, and user interaction needed. The vulnerability was publicly disclosed on February 25, 2026, and fixed in zed version 0.225.9. No known exploits in the wild have been reported to date.

This vulnerability poses a significant risk to organizations using vulnerable versions of the zed code editor, especially those handling sensitive or proprietary code and data. By exploiting the symlink escape, attackers can access or modify files outside the project directory, potentially leaking confidential information such as credentials, configuration files, or intellectual property to the LLM or other components. This undermines data confidentiality and integrity, which can lead to data breaches, intellectual property theft, or sabotage of critical files. Since the vulnerability requires local access and user interaction, the threat is more pronounced in environments where users may open untrusted projects or where attackers have some foothold on the system. The bypass of workspace boundary protections also weakens trust in the editor’s security model, potentially exposing organizations to compliance and privacy risks. Although availability is not impacted, the confidentiality and integrity risks are substantial, especially in development environments integrated with AI tools that may inadvertently process sensitive data. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, particularly as attackers may develop exploits following public disclosure.

Organizations should immediately upgrade all instances of the zed code editor to version 0.225.9 or later, which contains the fix for this vulnerability. Until the upgrade is applied, users should avoid opening projects containing untrusted or external symbolic links and refrain from editing files through the Agent file tools that could be manipulated via symlinks. Implement strict controls on project directory contents, including scanning for and removing suspicious symbolic links that point outside the workspace. Employ endpoint security solutions to monitor and restrict unauthorized file system modifications and symlink creations. Educate developers and users about the risks of opening untrusted projects and the importance of applying security updates promptly. Additionally, review and harden privacy settings related to `file_scan_exclusions` and `private_files` to minimize sensitive data exposure. Consider isolating development environments or using containerization to limit the impact of potential symlink escape exploits. Finally, monitor vendor advisories and threat intelligence feeds for any emerging exploit activity related to this CVE.