Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable key…

CVE-2026-44461 affects Zed code editor versions prior to 0.227.1. The vulnerability occurs when Zed builds SSH/WSL remote commands using shell command strings starting with 'exec env', but fails to properly validate or quote environment variable keys. Attackers who can control environment variable keys through project terminal settings can inject shell expansions like $(...) that get evaluated by the remote shell when terminals are opened. This leads to arbitrary command execution on remote hosts under the victim's user account. The vulnerability is fixed in version 0.227.1.