Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    58 vulnerabilities by coder

    CVE-2026-55438 (GCVE-0-2026-55438)

    Vulnerability from nvd – Published: 2026-07-08 00:31 – Updated: 2026-07-08 17:10
    VLAI
    Title
    Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55438",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T16:56:25.900709Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T17:10:30.943Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder\u0027s subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL\u0027s username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker\u0027s crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace\u0027s actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:31:20.573Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-5wg6-jmq2-53pw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-5wg6-jmq2-53pw"
            },
            {
              "name": "https://github.com/coder/coder/pull/26085",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26085"
            },
            {
              "name": "https://github.com/coder/coder/pull/26086",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26086"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-5wg6-jmq2-53pw",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55438",
        "datePublished": "2026-07-08T00:31:20.573Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T17:10:30.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55437 (GCVE-0-2026-55437)

    Vulnerability from nvd – Published: 2026-07-08 00:29 – Updated: 2026-07-08 14:00
    VLAI
    Title
    Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55437",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:00:28.554141Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:00:43.204Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:29:18.268Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7"
            },
            {
              "name": "https://github.com/coder/coder/pull/25808",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25808"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-7qw2-f75v-62f7",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55437",
        "datePublished": "2026-07-08T00:29:18.268Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T14:00:43.204Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55436 (GCVE-0-2026-55436)

    Vulnerability from nvd – Published: 2026-07-08 00:26 – Updated: 2026-07-08 13:11
    VLAI
    Title
    Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate. Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected. The fix in versions 2.32.7, 2.33.8, and 2.34.2 applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55436",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:11:39.614123Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:11:46.877Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate. Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected. The fix in versions 2.32.7, 2.33.8, and 2.34.2 applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295: Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:26:13.175Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-84rm-42xw-mx52",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-84rm-42xw-mx52"
            },
            {
              "name": "https://github.com/coder/coder/pull/26131",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26131"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-84rm-42xw-mx52",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s AI Bridge Proxy skips TLS certificate verification in default configuration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55436",
        "datePublished": "2026-07-08T00:26:13.175Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:11:46.877Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55433 (GCVE-0-2026-55433)

    Vulnerability from nvd – Published: 2026-07-08 00:22 – Updated: 2026-07-08 13:01
    VLAI
    Title
    Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55433",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:01:36.512667Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:01:44.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:22:36.304Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-jqj2-x4c5-jfxm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-jqj2-x4c5-jfxm"
            },
            {
              "name": "https://github.com/coder/coder/pull/25812",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25812"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-jqj2-x4c5-jfxm",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55433",
        "datePublished": "2026-07-08T00:22:36.304Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:01:44.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55432 (GCVE-0-2026-55432)

    Vulnerability from nvd – Published: 2026-07-08 00:20 – Updated: 2026-07-08 12:51
    VLAI
    Title
    Coder's sub-agent app registration bypasses template port-sharing policy enforcement
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template's `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55432",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T12:51:04.699684Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T12:51:10.411Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template\u0027s `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator\u0027s configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template\u0027s `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:20:24.264Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-x9qq-2qh5-8rxf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-x9qq-2qh5-8rxf"
            },
            {
              "name": "https://github.com/coder/coder/pull/26061",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26061"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-x9qq-2qh5-8rxf",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s sub-agent app registration bypasses template port-sharing policy enforcement"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55432",
        "datePublished": "2026-07-08T00:20:24.264Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T12:51:10.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55431 (GCVE-0-2026-55431)

    Vulnerability from nvd – Published: 2026-07-08 00:10 – Updated: 2026-07-08 13:57
    VLAI
    Title
    Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55431",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:56:53.370657Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:57:02.059Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user\u0027s real session token before handing the URL to the OS open handler. Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:10:49.165Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-v54h-cp2w-9x4g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-v54h-cp2w-9x4g"
            },
            {
              "name": "https://github.com/coder/coder/pull/26146",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26146"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-v54h-cp2w-9x4g",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s session token leaked to arbitrary hosts via `coder open app` for external workspace apps"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55431",
        "datePublished": "2026-07-08T00:10:49.165Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:57:02.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55430 (GCVE-0-2026-55430)

    Vulnerability from nvd – Published: 2026-07-08 00:03 – Updated: 2026-07-08 17:10
    VLAI
    Title
    Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55430",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T16:57:10.249359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T17:10:40.949Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker\u0027s shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:03:29.728Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-5g4w-3vw9-478w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-5g4w-3vw9-478w"
            },
            {
              "name": "https://github.com/coder/coder/pull/26204",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26204"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-5g4w-3vw9-478w",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55430",
        "datePublished": "2026-07-08T00:03:29.728Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T17:10:40.949Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55429 (GCVE-0-2026-55429)

    Vulnerability from nvd – Published: 2026-07-08 00:00 – Updated: 2026-07-08 14:41
    VLAI
    Title
    Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55429",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:41:33.806014Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:41:39.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app\u0027s `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner\u0027s `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:00:33.785Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-9rjw-3gwp-f59v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-9rjw-3gwp-f59v"
            },
            {
              "name": "https://github.com/coder/coder/pull/26103",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26103"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-9rjw-3gwp-f59v",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55429",
        "datePublished": "2026-07-08T00:00:33.785Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T14:41:39.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55428 (GCVE-0-2026-55428)

    Vulnerability from nvd – Published: 2026-07-07 23:57 – Updated: 2026-07-08 13:11
    VLAI
    Title
    Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent's UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55428",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:10:59.507766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:11:08.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent\u0027s `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent\u0027s UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:57:45.338Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp"
            },
            {
              "name": "https://github.com/coder/coder/pull/26144",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26144"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-wrq8-fcv5-8hvp",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55428",
        "datePublished": "2026-07-07T23:57:45.338Z",
        "dateReserved": "2026-06-16T21:59:57.016Z",
        "dateUpdated": "2026-07-08T13:11:08.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55427 (GCVE-0-2026-55427)

    Vulnerability from nvd – Published: 2026-07-07 23:55 – Updated: 2026-07-08 13:10
    VLAI
    Title
    Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user's `~/.ssh/config` without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the `HostnameSuffix` and `SSHConfigOptions` settings. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `HostnameSuffix` and `SSHConfigOptions` against a strict character set that rejects newlines and other control characters. As a workaround, inspect `coder config-ssh --dry-run` output before applying changes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55427",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:09:33.858876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:10:01.820Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user\u0027s `~/.ssh/config` without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the `HostnameSuffix` and `SSHConfigOptions` settings. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `HostnameSuffix` and `SSHConfigOptions` against a strict character set that rejects newlines and other control characters. As a workaround, inspect `coder config-ssh --dry-run` output before applying changes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:55:26.240Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-mcqq-fqgf-rxwm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-mcqq-fqgf-rxwm"
            },
            {
              "name": "https://github.com/coder/coder/pull/26154",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26154"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-mcqq-fqgf-rxwm",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55427",
        "datePublished": "2026-07-07T23:55:26.240Z",
        "dateReserved": "2026-06-16T21:48:43.126Z",
        "dateUpdated": "2026-07-08T13:10:01.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55079 (GCVE-0-2026-55079)

    Vulnerability from nvd – Published: 2026-07-07 23:50 – Updated: 2026-07-08 12:53
    VLAI
    Title
    Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: >= 2.24.0, < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55079",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T12:53:26.878982Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T12:53:41.432Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.24.0, \u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:50:37.197Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-f962-qm93-mj4c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-f962-qm93-mj4c"
            },
            {
              "name": "https://github.com/coder/coder/pull/25710",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25710"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-f962-qm93-mj4c",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s unbounded memory allocation in provisioner file upload allows authenticated denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55079",
        "datePublished": "2026-07-07T23:50:37.197Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T12:53:41.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55078 (GCVE-0-2026-55078)

    Vulnerability from nvd – Published: 2026-07-07 22:47 – Updated: 2026-07-08 13:55
    VLAI
    Title
    Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of `coderd`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: >= 2.17.0, < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55078",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:54:48.796364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:55:16.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.17.0, \u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of `coderd`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:47:07.079Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-2mg2-p7r7-g27f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-2mg2-p7r7-g27f"
            },
            {
              "name": "https://github.com/coder/coder/pull/25877",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25877"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-2mg2-p7r7-g27f",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55078",
        "datePublished": "2026-07-07T22:47:07.079Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T13:55:16.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55077 (GCVE-0-2026-55077)

    Vulnerability from nvd – Published: 2026-07-07 22:44 – Updated: 2026-07-09 14:41
    VLAI
    Title
    Coder: User-admin role can reset owner account password
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account's password. It also did not require the current password when an admin reset another user's password. Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an account that holds the `owner` role. As a workaround, restrict the `user-admin` role to trusted administrators.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55077",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:31:17.655406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:41:52.486Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account\u0027s password. It also did not require the current password when an admin reset another user\u0027s password. Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an account that holds the `owner` role. As a workaround, restrict the `user-admin` role to trusted administrators."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:44:28.621Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-29xf-69gq-m9jx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-29xf-69gq-m9jx"
            },
            {
              "name": "https://github.com/coder/coder/pull/25709",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25709"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-29xf-69gq-m9jx",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: User-admin role can reset owner account password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55077",
        "datePublished": "2026-07-07T22:44:28.621Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-09T14:41:52.486Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55076 (GCVE-0-2026-55076)

    Vulnerability from nvd – Published: 2026-07-07 22:23 – Updated: 2026-07-08 14:03
    VLAI
    Title
    Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the string `"false"`) or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 coerces `email_verified` across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-704 - Incorrect Type Conversion or Cast
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55076",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:03:30.696230Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:03:39.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder\u0027s OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the string `\"false\"`) or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 coerces `email_verified` across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-704",
                  "description": "CWE-704: Incorrect Type Conversion or Cast",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:23:26.179Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-75vm-6w67-gwvp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-75vm-6w67-gwvp"
            },
            {
              "name": "https://github.com/coder/coder/pull/25712",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25712"
            },
            {
              "name": "https://github.com/coder/coder/pull/25713",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25713"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-75vm-6w67-gwvp",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s OIDC email_verified type coercion bypass enables account takeover via unverified email linking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55076",
        "datePublished": "2026-07-07T22:23:26.179Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T14:03:39.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55075 (GCVE-0-2026-55075)

    Vulnerability from nvd – Published: 2026-07-07 21:33 – Updated: 2026-07-08 13:03
    VLAI
    Title
    Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-289 - Authentication Bypass by Alternate Name
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:02:51.874018Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:03:16.212Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder\u0027s OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-289",
                  "description": "CWE-289: Authentication Bypass by Alternate Name",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:33:38.189Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-9r87-mvcw-x35f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-9r87-mvcw-x35f"
            },
            {
              "name": "https://github.com/coder/coder/pull/25712",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25712"
            },
            {
              "name": "https://github.com/coder/coder/pull/25713",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25713"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-9r87-mvcw-x35f",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55075",
        "datePublished": "2026-07-07T21:33:38.189Z",
        "dateReserved": "2026-06-16T14:33:35.710Z",
        "dateUpdated": "2026-07-08T13:03:16.212Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46354 (GCVE-0-2026-46354)

    Vulnerability from nvd – Published: 2026-07-07 21:10 – Updated: 2026-07-08 13:01
    VLAI
    Title
    Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
    Summary
    Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":"<target>"}` and the forged `vmId` will be accepted returning the victim workspace agent's session token. No authentication is required. The attacker only needs to know a target VM's `vmId` which is a `UUIDv4`. That's a practical limitation which would typically require prior access to be exploited. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, reconfigure any Azure templates to use token authentication rather than `azure-instance-identity`.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.33.0-rc.0, < 2.33.3
    Affected: >= 2.32.0-rc.0, < 2.32.2
    Affected: >= 2.31.0, < 2.31.12
    Affected: >= 2.30.0, < 2.30.8
    Affected: >= 2.29.0, < 2.29.13
    Affected: < 2.24.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46354",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:01:18.394796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:01:25.192Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0-rc.0, \u003c 2.33.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.32.0-rc.0, \u003c 2.32.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.31.0, \u003c 2.31.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.30.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.29.0, \u003c 2.29.13"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.24.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{\"vmId\":\"\u003ctarget\u003e\"}` and the forged `vmId` will be accepted returning the victim workspace agent\u0027s session token. No authentication is required. The attacker only needs to know a target VM\u0027s `vmId` which is a `UUIDv4`. That\u0027s a practical limitation which would typically require prior access to be exploited. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, reconfigure any Azure templates to use token authentication rather than `azure-instance-identity`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:10:01.899Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf"
            },
            {
              "name": "https://github.com/coder/coder/pull/25286",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25286"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.24.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.24.5"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.13"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.30.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.30.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.31.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.31.12"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.2"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.3"
            }
          ],
          "source": {
            "advisory": "GHSA-6x44-w3xg-hqqf",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46354",
        "datePublished": "2026-07-07T21:10:01.899Z",
        "dateReserved": "2026-05-13T18:37:30.991Z",
        "dateUpdated": "2026-07-08T13:01:25.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55438 (GCVE-0-2026-55438)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:31 – Updated: 2026-07-08 17:10
    VLAI
    Title
    Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55438",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T16:56:25.900709Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T17:10:30.943Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder\u0027s subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL\u0027s username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker\u0027s crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace\u0027s actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:31:20.573Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-5wg6-jmq2-53pw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-5wg6-jmq2-53pw"
            },
            {
              "name": "https://github.com/coder/coder/pull/26085",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26085"
            },
            {
              "name": "https://github.com/coder/coder/pull/26086",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26086"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-5wg6-jmq2-53pw",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55438",
        "datePublished": "2026-07-08T00:31:20.573Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T17:10:30.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55437 (GCVE-0-2026-55437)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:29 – Updated: 2026-07-08 14:00
    VLAI
    Title
    Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55437",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:00:28.554141Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:00:43.204Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:29:18.268Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7"
            },
            {
              "name": "https://github.com/coder/coder/pull/25808",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25808"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-7qw2-f75v-62f7",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55437",
        "datePublished": "2026-07-08T00:29:18.268Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T14:00:43.204Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55436 (GCVE-0-2026-55436)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:26 – Updated: 2026-07-08 13:11
    VLAI
    Title
    Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate. Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected. The fix in versions 2.32.7, 2.33.8, and 2.34.2 applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55436",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:11:39.614123Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:11:46.877Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate. Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected. The fix in versions 2.32.7, 2.33.8, and 2.34.2 applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295: Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:26:13.175Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-84rm-42xw-mx52",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-84rm-42xw-mx52"
            },
            {
              "name": "https://github.com/coder/coder/pull/26131",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26131"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-84rm-42xw-mx52",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s AI Bridge Proxy skips TLS certificate verification in default configuration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55436",
        "datePublished": "2026-07-08T00:26:13.175Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:11:46.877Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55433 (GCVE-0-2026-55433)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:22 – Updated: 2026-07-08 13:01
    VLAI
    Title
    Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55433",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:01:36.512667Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:01:44.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:22:36.304Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-jqj2-x4c5-jfxm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-jqj2-x4c5-jfxm"
            },
            {
              "name": "https://github.com/coder/coder/pull/25812",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25812"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-jqj2-x4c5-jfxm",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55433",
        "datePublished": "2026-07-08T00:22:36.304Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:01:44.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55432 (GCVE-0-2026-55432)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:20 – Updated: 2026-07-08 12:51
    VLAI
    Title
    Coder's sub-agent app registration bypasses template port-sharing policy enforcement
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template's `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55432",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T12:51:04.699684Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T12:51:10.411Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template\u0027s `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator\u0027s configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template\u0027s `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:20:24.264Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-x9qq-2qh5-8rxf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-x9qq-2qh5-8rxf"
            },
            {
              "name": "https://github.com/coder/coder/pull/26061",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26061"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-x9qq-2qh5-8rxf",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s sub-agent app registration bypasses template port-sharing policy enforcement"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55432",
        "datePublished": "2026-07-08T00:20:24.264Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T12:51:10.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55431 (GCVE-0-2026-55431)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:10 – Updated: 2026-07-08 13:57
    VLAI
    Title
    Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55431",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:56:53.370657Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:57:02.059Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user\u0027s real session token before handing the URL to the OS open handler. Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:10:49.165Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-v54h-cp2w-9x4g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-v54h-cp2w-9x4g"
            },
            {
              "name": "https://github.com/coder/coder/pull/26146",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26146"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-v54h-cp2w-9x4g",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s session token leaked to arbitrary hosts via `coder open app` for external workspace apps"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55431",
        "datePublished": "2026-07-08T00:10:49.165Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:57:02.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55430 (GCVE-0-2026-55430)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:03 – Updated: 2026-07-08 17:10
    VLAI
    Title
    Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55430",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T16:57:10.249359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T17:10:40.949Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker\u0027s shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:03:29.728Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-5g4w-3vw9-478w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-5g4w-3vw9-478w"
            },
            {
              "name": "https://github.com/coder/coder/pull/26204",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26204"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-5g4w-3vw9-478w",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55430",
        "datePublished": "2026-07-08T00:03:29.728Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T17:10:40.949Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55429 (GCVE-0-2026-55429)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:00 – Updated: 2026-07-08 14:41
    VLAI
    Title
    Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55429",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:41:33.806014Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:41:39.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app\u0027s `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner\u0027s `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:00:33.785Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-9rjw-3gwp-f59v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-9rjw-3gwp-f59v"
            },
            {
              "name": "https://github.com/coder/coder/pull/26103",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26103"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-9rjw-3gwp-f59v",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55429",
        "datePublished": "2026-07-08T00:00:33.785Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T14:41:39.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55428 (GCVE-0-2026-55428)

    Vulnerability from cvelistv5 – Published: 2026-07-07 23:57 – Updated: 2026-07-08 13:11
    VLAI
    Title
    Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent's UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55428",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:10:59.507766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:11:08.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent\u0027s `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent\u0027s UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:57:45.338Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp"
            },
            {
              "name": "https://github.com/coder/coder/pull/26144",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26144"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-wrq8-fcv5-8hvp",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55428",
        "datePublished": "2026-07-07T23:57:45.338Z",
        "dateReserved": "2026-06-16T21:59:57.016Z",
        "dateUpdated": "2026-07-08T13:11:08.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55427 (GCVE-0-2026-55427)

    Vulnerability from cvelistv5 – Published: 2026-07-07 23:55 – Updated: 2026-07-08 13:10
    VLAI
    Title
    Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user's `~/.ssh/config` without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the `HostnameSuffix` and `SSHConfigOptions` settings. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `HostnameSuffix` and `SSHConfigOptions` against a strict character set that rejects newlines and other control characters. As a workaround, inspect `coder config-ssh --dry-run` output before applying changes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55427",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:09:33.858876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:10:01.820Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user\u0027s `~/.ssh/config` without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the `HostnameSuffix` and `SSHConfigOptions` settings. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `HostnameSuffix` and `SSHConfigOptions` against a strict character set that rejects newlines and other control characters. As a workaround, inspect `coder config-ssh --dry-run` output before applying changes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:55:26.240Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-mcqq-fqgf-rxwm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-mcqq-fqgf-rxwm"
            },
            {
              "name": "https://github.com/coder/coder/pull/26154",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26154"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-mcqq-fqgf-rxwm",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55427",
        "datePublished": "2026-07-07T23:55:26.240Z",
        "dateReserved": "2026-06-16T21:48:43.126Z",
        "dateUpdated": "2026-07-08T13:10:01.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55079 (GCVE-0-2026-55079)

    Vulnerability from cvelistv5 – Published: 2026-07-07 23:50 – Updated: 2026-07-08 12:53
    VLAI
    Title
    Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: >= 2.24.0, < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55079",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T12:53:26.878982Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T12:53:41.432Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.24.0, \u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:50:37.197Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-f962-qm93-mj4c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-f962-qm93-mj4c"
            },
            {
              "name": "https://github.com/coder/coder/pull/25710",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25710"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-f962-qm93-mj4c",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s unbounded memory allocation in provisioner file upload allows authenticated denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55079",
        "datePublished": "2026-07-07T23:50:37.197Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T12:53:41.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55078 (GCVE-0-2026-55078)

    Vulnerability from cvelistv5 – Published: 2026-07-07 22:47 – Updated: 2026-07-08 13:55
    VLAI
    Title
    Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of `coderd`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: >= 2.17.0, < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55078",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:54:48.796364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:55:16.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.17.0, \u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of `coderd`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:47:07.079Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-2mg2-p7r7-g27f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-2mg2-p7r7-g27f"
            },
            {
              "name": "https://github.com/coder/coder/pull/25877",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25877"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-2mg2-p7r7-g27f",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55078",
        "datePublished": "2026-07-07T22:47:07.079Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T13:55:16.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55077 (GCVE-0-2026-55077)

    Vulnerability from cvelistv5 – Published: 2026-07-07 22:44 – Updated: 2026-07-09 14:41
    VLAI
    Title
    Coder: User-admin role can reset owner account password
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account's password. It also did not require the current password when an admin reset another user's password. Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an account that holds the `owner` role. As a workaround, restrict the `user-admin` role to trusted administrators.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55077",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:31:17.655406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:41:52.486Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account\u0027s password. It also did not require the current password when an admin reset another user\u0027s password. Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an account that holds the `owner` role. As a workaround, restrict the `user-admin` role to trusted administrators."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:44:28.621Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-29xf-69gq-m9jx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-29xf-69gq-m9jx"
            },
            {
              "name": "https://github.com/coder/coder/pull/25709",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25709"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-29xf-69gq-m9jx",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: User-admin role can reset owner account password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55077",
        "datePublished": "2026-07-07T22:44:28.621Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-09T14:41:52.486Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55076 (GCVE-0-2026-55076)

    Vulnerability from cvelistv5 – Published: 2026-07-07 22:23 – Updated: 2026-07-08 14:03
    VLAI
    Title
    Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the string `"false"`) or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 coerces `email_verified` across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-704 - Incorrect Type Conversion or Cast
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55076",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:03:30.696230Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:03:39.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder\u0027s OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the string `\"false\"`) or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 coerces `email_verified` across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-704",
                  "description": "CWE-704: Incorrect Type Conversion or Cast",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:23:26.179Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-75vm-6w67-gwvp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-75vm-6w67-gwvp"
            },
            {
              "name": "https://github.com/coder/coder/pull/25712",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25712"
            },
            {
              "name": "https://github.com/coder/coder/pull/25713",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25713"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-75vm-6w67-gwvp",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s OIDC email_verified type coercion bypass enables account takeover via unverified email linking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55076",
        "datePublished": "2026-07-07T22:23:26.179Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T14:03:39.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }