PatchSiren cyber security CVE debrief
CVE-2026-55430 coder CVE debrief
CVE-2026-55430 is a vulnerability in Coder that allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host.
- Vendor
- coder
- Product
- Unknown
- CVSS
- MEDIUM 5.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of Coder versions prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2 who have subdomain app routing (wildcard hostname) enabled and have deployments whose upstream proxy does not strip `X-Forwarded-Host`.
Technical summary
The workspace app proxy in Coder resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. This allows client-side JavaScript to set the `X-Forwarded-Host` header on `fetch()` calls, potentially leading to exploitation. The vulnerability requires subdomain app routing (wildcard hostname) to be enabled, a victim to visit the attacker's shared app, and a deployment whose upstream proxy does not strip `X-Forwarded-Host`.
Defensive priority
Medium
Recommended defensive actions
- Update to Coder versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2 or later
- Configure trusted proxies to strip or overwrite `X-Forwarded-Host` on untrusted requests
- Implement upstream reverse proxy to strip or overwrite `X-Forwarded-Host` on untrusted requests
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
CVE-2026-55430 is a vulnerability in Coder that allows organizations to provision remote development environments via Terraform. The CVE record was published on 2026-07-08T01:16:27.270Z and has not been modified since then. The NVD entry is currently 5.8 MEDIUM. No additional information is available beyond the initial CVE and NVD publications. Users should verify the official CVE record and NVD details for the most current information. The evidence provided is limited, and defenders should review the official advisory for affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T01:16:27.270Z and has not been modified since then.