PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55078 coder CVE debrief

CVE-2026-55078 is a denial-of-service vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The vulnerability arises from the `POST /api/v2/files` endpoint, which converts zip uploads to tar in memory without an aggregate limit on total decompressed output. This leads to an unbounded in-memory buffer, allowing attackers with authenticated file-upload access to cause a denial of service. The impact is limited to availability, and the vulnerability affects Coder versions 2.17.0 through 2.29.6, 2.32.6, 2.33.7, and 2.34.1. The fix involves adding a metadata preflight check and a streaming writer that enforces the aggregate limit during decompression.

Vendor
coder
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Coder versions 2.17.0 through 2.29.6, 2.32.6, 2.33.7, and 2.34.1 should assess and potentially update to patched versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2. This includes operators, platform administrators, vulnerability management teams, and security teams responsible for ensuring the security and availability of Coder deployments.

Technical summary

CVE-2026-55078 is a denial-of-service vulnerability in Coder, affecting versions 2.17.0 through 2.29.6, 2.32.6, 2.33.7, and 2.34.1. The vulnerability arises from the `POST /api/v2/files` endpoint, which converts zip uploads to tar in memory. This process applies a per-entry size limit but lacks an aggregate limit on total decompressed output, leading to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access, and the impact is limited to availability. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression.

Defensive priority

Medium priority due to the requirement for authenticated access and the limited impact to availability.

Recommended defensive actions

  • Update to Coder versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2
  • Restrict file-upload permissions to trusted users
  • Implement a reverse proxy with request-body size limits
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record and NVD entry provide details on the vulnerability and patches. Coder's official releases and security advisories confirm the issue and fixes. Evidence is limited, and defenders should verify affected scope and vendor guidance. The vulnerability affects Coder versions 2.17.0 through 2.29.6, 2.32.6, 2.33.7, and 2.34.1. Exploitation requires authenticated file-upload access, and the impact is limited to availability (denial of service).

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T23:16:55.510Z and has not been modified since then.