CVE-2026-27800
Published: 26 February 2026
Summary
CVE-2026-27800 is a high-severity Path Traversal (CWE-22) vulnerability in Zed Zed. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Boot or Logon Autostart Execution (T1547); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27800 is a Zip Slip path traversal vulnerability in the Zed code editor, affecting versions prior to 0.224.4. The issue resides in the `extract_zip()` function within `crates/util/src/archive.rs`, which does not properly validate ZIP entry filenames against path traversal sequences such as `../`. This flaw enables malicious ZIP archives to extract files beyond the intended sandbox directory for extensions. The vulnerability is rated 7.4 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) and maps to CWE-22.
An attacker can exploit this vulnerability by crafting a malicious ZIP archive disguised as a legitimate Zed extension. Users must be tricked into downloading and installing the extension via user interaction, such as clicking a link from an untrusted source. Successful exploitation allows the attacker to write arbitrary files outside the extension's sandbox, potentially overwriting critical files and leading to integrity violations like configuration changes or persistence mechanisms, though no direct confidentiality or availability impacts are noted.
The official Zed security advisory at https://github.com/zed-industries/zed/security/advisories/GHSA-v385-xh3h-rrfr details the issue and confirms that upgrading to version 0.224.4 resolves the vulnerability by implementing proper path validation during ZIP extraction. Security practitioners should advise users to update Zed immediately and avoid installing extensions from untrusted sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8773
Vulnerability details
Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/archive.rs` fails to validate ZIP entry filenames for path traversal sequences (e.g., `../`). This…
more
allows a malicious extension to write files outside its designated sandbox directory by downloading and extracting a crafted ZIP archive. Version 0.224.4 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Zip Slip enables arbitrary file write outside extension sandbox after user installs malicious ZIP (T1204.002 prerequisite); directly supports dropping autostart files (T1547), overwriting binaries/configs (T1554), or placing hijack payloads (T1574).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs (ZIP entry filenames) to block path traversal sequences such as '../' during extract_zip() processing.
Enforces that file writes from extension archives are confined to the designated sandbox directory, preventing the unauthorized access that the missing filename checks allow.
Provides integrity verification mechanisms that can detect unauthorized file modifications outside the intended extension directory after a malicious archive is processed.