PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55079 coder CVE debrief

CVE-2026-55079 is a vulnerability in Coder, a tool for provisioning remote development environments via Terraform. In versions 2.24.0 and prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. Users should restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.

Vendor
coder
Product
Unknown
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of Coder versions 2.24.0 through 2.29.6, 2.32.6, 2.33.7, and 2.34.1 should be aware of this vulnerability and take steps to mitigate it. This includes restricting access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts and upgrading to a patched version.

Technical summary

The vulnerability exists in the `NewDataBuilder` in `provisionersdk/proto/dataupload.go`. The `FileSize` value from a `DataUpload` message was used to allocate a byte slice without an upper-bound check. This could lead to potential denial-of-service (DoS) attacks. The fix adds a validation check against an upper bound (`MaxFileSize = 100 MiB`) before allocation. Affected users should review Coder's advisory for specific version updates.

Defensive priority

Medium

Recommended defensive actions

  • Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts
  • Upgrade to Coder version 2.29.7, 2.32.7, 2.33.8, or 2.34.2
  • Monitor for suspicious activity on the provisioner daemon serve endpoint
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-08T00:16:33.153Z and has not been modified since then. The NVD entry is currently 4.9 (MEDIUM). Evidence is limited to CVE and NVD details. Defenders should verify product versions and patch status with Coder. No additional details are available.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T00:16:33.153Z and has not been modified since then.