PatchSiren cyber security CVE debrief
CVE-2026-55429 coder CVE debrief
CVE-2026-55429 is a high-severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. The vulnerability allows for a cross-workspace agent reassignment due to improper verification of workspace IDs in the `UpsertWorkspaceApp` and `insertAgentApp` functions. This issue was addressed in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 of Coder. The vulnerability exists due to the `UpsertWorkspaceApp` function overwriting an existing app's `agent_id` on a primary-key conflict and the `insertAgentApp` function accepting an app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built.
- Vendor
- coder
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of Coder, especially those with elevated access as template authors or external provisioner operators, should be aware of this vulnerability and take steps to ensure they are running a patched version. This includes reviewing and limiting elevated access to Coder and monitoring for suspicious activity in Coder environments.
Technical summary
The vulnerability exists due to the `UpsertWorkspaceApp` function overwriting an existing app's `agent_id` on a primary-key conflict and the `insertAgentApp` function accepting an app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. The `CompleteJob` runs under `dbauthz.AsProvisionerd`, bypassing the authorization layer and allowing cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator.
Defensive priority
High priority should be given to patching Coder installations, especially in environments where elevated access is common. This includes reviewing compensating controls for exposed systems while remediation is scheduled and verified.
Recommended defensive actions
- Patch Coder to version 2.29.7, 2.32.7, 2.33.8, or 2.34.2
- Review and limit elevated access to Coder
- Monitor for suspicious activity in Coder environments
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-08T00:16:33.597Z and has not been modified since then. The NVD entry is currently 8.7 HIGH. The vulnerability exists in Coder, a tool for provisioning remote development environments via Terraform. The CVE record was published on 2026-07-08T00:16:33.597Z and has not been modified since then. The NVD entry is currently 8.7 HIGH. Exploitation requires elevated access as a template author or external provisioner operator.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T00:16:33.597Z and has not been modified since then.