CVE-2026-27967
Published: 26 February 2026
Summary
CVE-2026-27967 is a high-severity Link Following (CWE-59) vulnerability in Zed Zed. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27967 is a symlink escape vulnerability in Zed, a code editor, affecting versions prior to 0.225.9. The flaw exists in the Agent file tools, specifically `read_file` and `edit_file`, which permit reading and writing files outside the project directory when a project includes symbolic links pointing to external paths. This circumvents Zed's intended workspace boundary and privacy protections, including `file_scan_exclusions` and `private_files`, with potential for leaking sensitive user data to the LLM. The vulnerability carries a CVSS score of 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-59: Improper Link Resolution Before File Access.
A local attacker with no privileges can exploit this by crafting a project containing symbolic links to external paths and tricking a user into opening it, requiring user interaction such as invoking the Agent tools. Successful exploitation enables high confidentiality and integrity impacts, allowing arbitrary file reads or writes outside the workspace boundaries and bypassing privacy controls, which could result in sensitive data exfiltration to an LLM.
The official Zed security advisory (GHSA-786m-x2vc-5235 at https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235) documents the issue, with version 0.225.9 released as the fix. Security practitioners should advise users to upgrade to Zed 0.225.9 or later to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8777
Vulnerability details
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths.…
more
This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Symlink escape in Agent read_file/edit_file tools enables unauthorized reads/writes of arbitrary files outside workspace boundaries, directly facilitating local data collection (T1005) and stored data manipulation (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the workspace boundary and file-access policy that the symlink escape bypasses in read_file/edit_file.
Requires validation of file paths and symbolic-link targets before permitting access, blocking the improper link resolution.
Limits the Agent tools to the minimum set of files inside the declared project directory, reducing the impact of any symlink escape.