Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbi…

CVE-2026-44466 affects Zed code editor versions prior to 0.229.0. The vulnerability allows bypassing the terminal tool permission system through bash arithmetic expansion $((...)) syntax. Attackers can execute arbitrary commands by nesting them inside allowlisted commands like echo. This represents a privilege escalation issue where security controls can be circumvented. The vulnerability has been patched in version 0.229.0. Users should update to the latest version to mitigate this security risk.