CVE-2026-25805

Zed does not show Parameter Values for MCP Tool Calls. Users cannot detect tool poisoning.

Description

Zed is a multiplayer code editor. Prior to 0.219.4, Zed does not show with which parameters a tool is being invoked, when asking for allowance. Further it does not show after the tool was being invoked, which parameters were used. Thus, maybe unwanted or even malicious values could be used without the user having a chance to notice it. Patched in Zed Editor 0.219.4 which includes expandable tool call details.

INFO

Published Date :

2026-02-10T17:27:49.390Z

Last Modified :

2026-02-10T19:20:11.990Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-25805 vulnerability.

Vendors	Products
Zed-industries	Zed

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25805.

URL	Resource
https://github.com/zed-industries/zed/security/advisories/GHSA-f2g4-87h6-4pxq

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact