PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55432 coder CVE debrief

CVE-2026-55432 is a vulnerability in Coder, a tool for provisioning remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps. This could let a workspace owner exceed the administrator's configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 clamps the sub-agent app sharing level to the template's `MaxPortSharingLevel`.

Vendor
coder
Product
Unknown
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Administrators and users of Coder versions prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing the configuration of their Coder instances, ensuring that the maximum port sharing level is properly set, and monitoring for potential exploitation.

Technical summary

The `CreateSubAgent` RPC in Coder did not properly validate app sharing levels, allowing potential escalation of privileges. The fix clamps the sub-agent app sharing level to the template's `MaxPortSharingLevel`. This vulnerability requires the ability to register sub-agent apps in a workspace the attacker controls. Administrators should review the configuration of their Coder instances to ensure that the maximum port sharing level is properly set.

Defensive priority

Medium

Recommended defensive actions

  • Update to Coder versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2 or later
  • Disable wildcard app hostnames (CODER_WILDCARD_ACCESS_URL) as a workaround
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance

Evidence notes

The CVE record was published on 2026-07-08T01:16:27.620Z and has not been modified since then. The NVD entry is currently 5.4 MEDIUM. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide additional details on the exploitation of this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T01:16:27.620Z and has not been modified since then.