These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-55438 is a MEDIUM severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. This could allow an attacker to craft a URL that, when visited by an authenticated victim, could exploit the vulnerability. The [truncated]
CVE-2026-55437: Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did [truncated]
CVE-2026-55436 is a high-severity vulnerability in Coder's AI Bridge Proxy. The vulnerability allows for a TLS certificate validation bypass, enabling an attacker to intercept and modify traffic between the AI Bridge Proxy and the Coder server. This issue was introduced in version 2.30.0 and fixed in versions 2.32.7, 2.33.8, and 2.34.2. The vulnerability has a CVSS score of 7.4 and is considered HIGH seve [truncated]
The Coder devcontainer recreate endpoint had an authorization issue. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, it relied on route middleware that checked only `ActionRead` on the workspace. Unlike the sibling delete endpoint, it performed no `ActionUpdate` check before triggering the destructive rebuild. This issue required an existing low-privilege role with access to the target workspace for [truncated]
The CVE record describes a vulnerability in Coder, a tool for provisioning remote development environments via Terraform. Versions prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2 are affected by an issue where `coder open app` opens external workspace-app URLs without validating the scheme or host. This can lead to security risks if an attacker controls the external app definition, as they can substitute the [truncated]
CVE-2026-55430 is a vulnerability in Coder that allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is no [truncated]
CVE-2026-55429 is a high-severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. The vulnerability allows for a cross-workspace agent reassignment due to improper verification of workspace IDs in the `UpsertWorkspaceApp` and `insertAgentApp` functions. This issue was addressed in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 of Coder. The vulnerability exists [truncated]
CVE-2026-55427 involves Coder, which allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `coder config-ssh` command wrote server-supplied SSH settings into the user's `~/.ssh/config` without proper sanitization, potentially allowing a malicious Coder server to inject arbitrary SSH configuration.
CVE-2026-55079 is a vulnerability in Coder, a tool for provisioning remote development environments via Terraform. In versions 2.24.0 and prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `Fi [truncated]
CVE-2026-55078 is a denial-of-service vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The vulnerability arises from the `POST /api/v2/files` endpoint, which converts zip uploads to tar in memory without an aggregate limit on total decompressed output. This leads to an unbounded in-memory buffer, allowing attackers with authenticated file-upload access to [truncated]
CVE-2026-55077 is a high-severity vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The vulnerability exists in the `PUT /api/v2/users/{user}/password` endpoint, which was only authorized for `ActionUpdatePersonal`. This authorization flaw allowed a `user-admin` to reset an `owner` account's password without requiring the current password. The practical ris [truncated]
CVE-2026-55076 is a high-severity vulnerability in Coder, a platform for provisioning remote development environments via Terraform. The issue lies in the OIDC callback's handling of the `email_verified` claim. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's implementation used a direct Go `bool` type assertion for `email_verified`. If an Identity Provider (IdP) returned this claim as a non- [truncated]
CVE-2026-55075 involves Coder, a platform for provisioning remote development environments via Terraform. A critical vulnerability was found in its OIDC login mechanism, which could lead to account takeover. The issue arises from two main flaws: firstly, email-based user matching could fall back to linking by email without properly checking for an existing link to a different IdP subject; secondly, the 'e [truncated]
The CVE record for CVE-2026-46354 describes a critical vulnerability in Coder, a tool for provisioning remote development environments via Terraform. In versions prior to 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, the `azureidentity.Validate()` function fails to verify the PKCS#7 signature, allowing an attacker to embed a legitimate Azure certificate with arbitrary content. This could expose th [truncated]
The CVE record for CVE-2026-45796 was published on 2026-07-07T22:16:52.317Z and has not been modified since then. The vulnerability is an unauthenticated semi-blind Server-Side Request Forgery (SSRF) in Coder via the Azure instance identity endpoint (POST /api/v2/workspaceagents/azure-instance-identity). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or ex [truncated]
CVE-2026-44454 is a high-severity vulnerability in Coder, a tool for provisioning remote development environments via Terraform. The vulnerability exists in the dotfiles registry module, where unsanitized user input was passed to shell commands, allowing for arbitrary code execution within a provisioned workspace. An attacker could exploit this by crafting a malicious dotfiles URI, potentially leading to [truncated]