PatchSiren

coder CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM coder CVE published 2026-07-08

CVE-2026-55438

CVE-2026-55438 is a MEDIUM severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. This could allow an attacker to craft a URL that, when visited by an authenticated victim, could exploit the vulnerability. The [truncated]

MEDIUM coder CVE published 2026-07-08

CVE-2026-55437

CVE-2026-55437: Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did [truncated]

HIGH coder CVE published 2026-07-08

CVE-2026-55436

CVE-2026-55436 is a high-severity vulnerability in Coder's AI Bridge Proxy. The vulnerability allows for a TLS certificate validation bypass, enabling an attacker to intercept and modify traffic between the AI Bridge Proxy and the Coder server. This issue was introduced in version 2.30.0 and fixed in versions 2.32.7, 2.33.8, and 2.34.2. The vulnerability has a CVSS score of 7.4 and is considered HIGH seve [truncated]

MEDIUM coder CVE published 2026-07-08

CVE-2026-55433

The Coder devcontainer recreate endpoint had an authorization issue. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, it relied on route middleware that checked only `ActionRead` on the workspace. Unlike the sibling delete endpoint, it performed no `ActionUpdate` check before triggering the destructive rebuild. This issue required an existing low-privilege role with access to the target workspace for [truncated]

HIGH coder CVE published 2026-07-08

CVE-2026-55431

The CVE record describes a vulnerability in Coder, a tool for provisioning remote development environments via Terraform. Versions prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2 are affected by an issue where `coder open app` opens external workspace-app URLs without validating the scheme or host. This can lead to security risks if an attacker controls the external app definition, as they can substitute the [truncated]

MEDIUM coder CVE published 2026-07-08

CVE-2026-55430

CVE-2026-55430 is a vulnerability in Coder that allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is no [truncated]

HIGH coder CVE published 2026-07-08

CVE-2026-55429

CVE-2026-55429 is a high-severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. The vulnerability allows for a cross-workspace agent reassignment due to improper verification of workspace IDs in the `UpsertWorkspaceApp` and `insertAgentApp` functions. This issue was addressed in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 of Coder. The vulnerability exists [truncated]

HIGH coder CVE published 2026-07-08

CVE-2026-55427

CVE-2026-55427 involves Coder, which allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `coder config-ssh` command wrote server-supplied SSH settings into the user's `~/.ssh/config` without proper sanitization, potentially allowing a malicious Coder server to inject arbitrary SSH configuration.

MEDIUM coder CVE published 2026-07-08

CVE-2026-55079

CVE-2026-55079 is a vulnerability in Coder, a tool for provisioning remote development environments via Terraform. In versions 2.24.0 and prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `Fi [truncated]

MEDIUM coder CVE published 2026-07-07

CVE-2026-55078

CVE-2026-55078 is a denial-of-service vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The vulnerability arises from the `POST /api/v2/files` endpoint, which converts zip uploads to tar in memory without an aggregate limit on total decompressed output. This leads to an unbounded in-memory buffer, allowing attackers with authenticated file-upload access to [truncated]

HIGH coder CVE published 2026-07-07

CVE-2026-55077

CVE-2026-55077 is a high-severity vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The vulnerability exists in the `PUT /api/v2/users/{user}/password` endpoint, which was only authorized for `ActionUpdatePersonal`. This authorization flaw allowed a `user-admin` to reset an `owner` account's password without requiring the current password. The practical ris [truncated]

HIGH coder CVE published 2026-07-07

CVE-2026-55076

CVE-2026-55076 is a high-severity vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The issue lies in the OIDC callback's handling of the `email_verified` claim. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's implementation used a direct Go `bool` type assertion for `email_verified`. If an Identity Provider (IdP) returned this claim as a non- [truncated]

HIGH coder CVE published 2026-07-07

CVE-2026-55075

CVE-2026-55075 involves Coder, a platform for provisioning remote development environments via Terraform. A critical vulnerability was found in its OIDC login mechanism, which could lead to account takeover. The issue arises from two main flaws: firstly, email-based user matching could fall back to linking by email without properly checking for an existing link to a different IdP subject; secondly, the 'e [truncated]

CRITICAL coder CVE published 2026-07-07

CVE-2026-46354

The CVE record for CVE-2026-46354 describes a critical vulnerability in Coder, a tool for provisioning remote development environments via Terraform. In versions prior to 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, the `azureidentity.Validate()` function fails to verify the PKCS#7 signature, allowing an attacker to embed a legitimate Azure certificate with arbitrary content. This could expose th [truncated]

MEDIUM coder CVE published 2026-07-07

CVE-2026-45796

The CVE record for CVE-2026-45796 was published on 2026-07-07T22:16:52.317Z and has not been modified since then. The vulnerability is an unauthenticated semi-blind Server-Side Request Forgery (SSRF) in Coder via the Azure instance identity endpoint (POST /api/v2/workspaceagents/azure-instance-identity). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or ex [truncated]

HIGH coder CVE published 2026-07-07

CVE-2026-44454

CVE-2026-44454 is a high-severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. The vulnerability exists in the dotfiles registry module, where unsanitized user input was passed to shell commands, allowing for arbitrary code execution within a provisioned workspace. An attacker could exploit this by crafting a malicious dotfiles URI, potentially leading to [truncated]