PatchSiren cyber security CVE debrief
CVE-2026-55079 coder CVE debrief
CVE-2026-55079 is a vulnerability in Coder, a tool for provisioning remote development environments via Terraform. In versions 2.24.0 and prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. Users should restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.
- Vendor
- coder
- Product
- Unknown
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of Coder versions 2.24.0 through 2.29.6, 2.32.6, 2.33.7, and 2.34.1 should be aware of this vulnerability and take steps to mitigate it. This includes restricting access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts and upgrading to a patched version.
Technical summary
The vulnerability exists in the `NewDataBuilder` in `provisionersdk/proto/dataupload.go`. The `FileSize` value from a `DataUpload` message was used to allocate a byte slice without an upper-bound check. This could lead to potential denial-of-service (DoS) attacks. The fix adds a validation check against an upper bound (`MaxFileSize = 100 MiB`) before allocation. Affected users should review Coder's advisory for specific version updates.
Defensive priority
Medium
Recommended defensive actions
- Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts
- Upgrade to Coder version 2.29.7, 2.32.7, 2.33.8, or 2.34.2
- Monitor for suspicious activity on the provisioner daemon serve endpoint
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-08T00:16:33.153Z and has not been modified since then. The NVD entry is currently 4.9 (MEDIUM). Evidence is limited to CVE and NVD details. Defenders should verify product versions and patch status with Coder. No additional details are available.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T00:16:33.153Z and has not been modified since then.