CVE-2026-27967

HighPublic PoC

Published: 26 February 2026

Published

26 February 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0001 0.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27967 is a high-severity Link Following (CWE-59) vulnerability in Zed Zed. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Symlink escape in Agent read_file/edit_file tools enables unauthorized reads/writes of arbitrary files outside workspace boundaries, directly facilitating local data collection (T1005) and stored data manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths.…

This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue.

Deeper analysisAI

CVE-2026-27967 is a symlink escape vulnerability in Zed, a code editor, affecting versions prior to 0.225.9. The flaw exists in the Agent file tools, specifically `read_file` and `edit_file`, which permit reading and writing files outside the project directory when a project includes symbolic links pointing to external paths. This circumvents Zed's intended workspace boundary and privacy protections, including `file_scan_exclusions` and `private_files`, with potential for leaking sensitive user data to the LLM. The vulnerability carries a CVSS score of 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-59: Improper Link Resolution Before File Access.

A local attacker with no privileges can exploit this by crafting a project containing symbolic links to external paths and tricking a user into opening it, requiring user interaction such as invoking the Agent tools. Successful exploitation enables high confidentiality and integrity impacts, allowing arbitrary file reads or writes outside the workspace boundaries and bypassing privacy controls, which could result in sensitive data exfiltration to an LLM.

The official Zed security advisory (GHSA-786m-x2vc-5235 at https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235) documents the issue, with version 0.225.9 released as the fix. Security practitioners should advise users to upgrade to Zed 0.225.9 or later to mitigate the vulnerability.