PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55429 coder CVE debrief

CVE-2026-55429 is a high-severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. The vulnerability allows for a cross-workspace agent reassignment due to improper verification of workspace IDs in the `UpsertWorkspaceApp` and `insertAgentApp` functions. This issue was addressed in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 of Coder. The vulnerability exists due to the `UpsertWorkspaceApp` function overwriting an existing app's `agent_id` on a primary-key conflict and the `insertAgentApp` function accepting an app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built.

Vendor
coder
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of Coder, especially those with elevated access as template authors or external provisioner operators, should be aware of this vulnerability and take steps to ensure they are running a patched version. This includes reviewing and limiting elevated access to Coder and monitoring for suspicious activity in Coder environments.

Technical summary

The vulnerability exists due to the `UpsertWorkspaceApp` function overwriting an existing app's `agent_id` on a primary-key conflict and the `insertAgentApp` function accepting an app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. The `CompleteJob` runs under `dbauthz.AsProvisionerd`, bypassing the authorization layer and allowing cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator.

Defensive priority

High priority should be given to patching Coder installations, especially in environments where elevated access is common. This includes reviewing compensating controls for exposed systems while remediation is scheduled and verified.

Recommended defensive actions

  • Patch Coder to version 2.29.7, 2.32.7, 2.33.8, or 2.34.2
  • Review and limit elevated access to Coder
  • Monitor for suspicious activity in Coder environments
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-08T00:16:33.597Z and has not been modified since then. The NVD entry is currently 8.7 HIGH. The vulnerability exists in Coder, a tool for provisioning remote development environments via Terraform. The CVE record was published on 2026-07-08T00:16:33.597Z and has not been modified since then. The NVD entry is currently 8.7 HIGH. Exploitation requires elevated access as a template author or external provisioner operator.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T00:16:33.597Z and has not been modified since then.