PatchSiren cyber security CVE debrief
CVE-2026-55438 coder CVE debrief
CVE-2026-55438 is a MEDIUM severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. This could allow an attacker to craft a URL that, when visited by an authenticated victim, could exploit the vulnerability. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity.
- Vendor
- coder
- Product
- Unknown
- CVSS
- MEDIUM 5.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of Coder, especially those who have enabled subdomain app routing (wildcard hostname), should be aware of this vulnerability and take steps to protect themselves. This includes upgrading to a patched version of Coder and ensuring that only authorized users have access to the system.
Technical summary
The vulnerability exists in Coder's subdomain-based workspace app proxy. When a workspace-name subdomain segment is parsed as a UUID, the workspace is resolved by ID without confirming the URL's username matches the real owner. The CORS middleware trusts the unverified username in the hostname. An attacker could craft a URL that, when visited by an authenticated victim, could exploit the vulnerability. The fix validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a patched version of Coder (2.29.17, 2.32.7, 2.33.8, or 2.34.2 or later)
- Ensure that only authorized users have access to the system
- Monitor for suspicious activity on the system
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-08T01:16:28.150Z and has not been modified since then. The NVD entry is currently 5.8 MEDIUM. The vulnerability has a CVSS score of 5.8 and a severity of MEDIUM.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T01:16:28.150Z and has not been modified since then.