Cyber Resilience

CVE-2026-27967

HighPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0001 0.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27967 is a high-severity Link Following (CWE-59) vulnerability in Zed Zed. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27967 is a symlink escape vulnerability in Zed, a code editor, affecting versions prior to 0.225.9. The flaw exists in the Agent file tools, specifically `read_file` and `edit_file`, which permit reading and writing files outside the project directory when a project includes symbolic links pointing to external paths. This circumvents Zed's intended workspace boundary and privacy protections, including `file_scan_exclusions` and `private_files`, with potential for leaking sensitive user data to the LLM. The vulnerability carries a CVSS score of 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-59: Improper Link Resolution Before File Access.

A local attacker with no privileges can exploit this by crafting a project containing symbolic links to external paths and tricking a user into opening it, requiring user interaction such as invoking the Agent tools. Successful exploitation enables high confidentiality and integrity impacts, allowing arbitrary file reads or writes outside the workspace boundaries and bypassing privacy controls, which could result in sensitive data exfiltration to an LLM.

The official Zed security advisory (GHSA-786m-x2vc-5235 at https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235) documents the issue, with version 0.225.9 released as the fix. Security practitioners should advise users to upgrade to Zed 0.225.9 or later to mitigate the vulnerability.

EU & UK References

Vulnerability details

Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths.…

more

This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Symlink escape in Agent read_file/edit_file tools enables unauthorized reads/writes of arbitrary files outside workspace boundaries, directly facilitating local data collection (T1005) and stored data manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25805Same product: Zed Zed
CVE-2026-27800Same product: Zed Zed
CVE-2026-44461Same product: Zed Zed
CVE-2026-44463Same product: Zed Zed
CVE-2026-44465Same product: Zed Zed
CVE-2026-27976Same product: Zed Zed
CVE-2026-40931Shared CWE-59
CVE-2026-5161Shared CWE-59
CVE-2025-24103Shared CWE-59
CVE-2026-48921Shared CWE-59

Affected Assets

zed
zed
≤ 0.225.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the workspace boundary and file-access policy that the symlink escape bypasses in read_file/edit_file.

prevent

Requires validation of file paths and symbolic-link targets before permitting access, blocking the improper link resolution.

prevent

Limits the Agent tools to the minimum set of files inside the declared project directory, reducing the impact of any symlink escape.

References