PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55437 coder CVE debrief

CVE-2026-55437: Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard.

Vendor
coder
Product
Unknown
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of Coder versions prior to 2.29.17, 2.32.7, 2.33.8, and 2.34.2 who provision remote development environments via Terraform and rely on the dashboard for monitoring workspace agent logs. Affected operators should review logs and restrict dashboard access.

Technical summary

The `AgentLogLine` dashboard component in Coder instantiated `ansi-to-html` without proper escaping, allowing HTML embedded in workspace agent log lines to be rendered as live markup. This vulnerability requires a victim to view attacker-controlled agent logs in the dashboard to be exploited. The fix enables `escapeXML: true` to escape HTML metacharacters before DOM insertion. Affected users should review logs for suspicious activity and restrict dashboard access.

Defensive priority

Medium priority due to the requirement for user interaction and the limited scope of exploitation.

Recommended defensive actions

  • Upgrade to Coder versions 2.29.17, 2.32.7, 2.33.8, or 2.34.2 or later
  • Review and monitor workspace agent logs for suspicious activity
  • Restrict access to the dashboard to authorized users only
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-08T01:16:28.020Z and has not been modified since then. The NVD entry is currently 5.4 MEDIUM. Limited details are available about the vulnerability, and no workarounds are provided. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T01:16:28.020Z and has not been modified since then.