Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    29 vulnerabilities by coder

    CVE-2026-55438 (GCVE-0-2026-55438)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:31 – Updated: 2026-07-08 17:10
    VLAI
    Title
    Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55438",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T16:56:25.900709Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T17:10:30.943Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder\u0027s subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL\u0027s username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker\u0027s crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace\u0027s actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:31:20.573Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-5wg6-jmq2-53pw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-5wg6-jmq2-53pw"
            },
            {
              "name": "https://github.com/coder/coder/pull/26085",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26085"
            },
            {
              "name": "https://github.com/coder/coder/pull/26086",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26086"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-5wg6-jmq2-53pw",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55438",
        "datePublished": "2026-07-08T00:31:20.573Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T17:10:30.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55437 (GCVE-0-2026-55437)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:29 – Updated: 2026-07-08 14:00
    VLAI
    Title
    Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55437",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:00:28.554141Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:00:43.204Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:29:18.268Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7"
            },
            {
              "name": "https://github.com/coder/coder/pull/25808",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25808"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-7qw2-f75v-62f7",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55437",
        "datePublished": "2026-07-08T00:29:18.268Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T14:00:43.204Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55436 (GCVE-0-2026-55436)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:26 – Updated: 2026-07-08 13:11
    VLAI
    Title
    Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate. Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected. The fix in versions 2.32.7, 2.33.8, and 2.34.2 applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55436",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:11:39.614123Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:11:46.877Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate. Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected. The fix in versions 2.32.7, 2.33.8, and 2.34.2 applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295: Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:26:13.175Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-84rm-42xw-mx52",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-84rm-42xw-mx52"
            },
            {
              "name": "https://github.com/coder/coder/pull/26131",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26131"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-84rm-42xw-mx52",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s AI Bridge Proxy skips TLS certificate verification in default configuration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55436",
        "datePublished": "2026-07-08T00:26:13.175Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:11:46.877Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55433 (GCVE-0-2026-55433)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:22 – Updated: 2026-07-08 13:01
    VLAI
    Title
    Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55433",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:01:36.512667Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:01:44.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:22:36.304Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-jqj2-x4c5-jfxm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-jqj2-x4c5-jfxm"
            },
            {
              "name": "https://github.com/coder/coder/pull/25812",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25812"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-jqj2-x4c5-jfxm",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55433",
        "datePublished": "2026-07-08T00:22:36.304Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:01:44.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55432 (GCVE-0-2026-55432)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:20 – Updated: 2026-07-08 12:51
    VLAI
    Title
    Coder's sub-agent app registration bypasses template port-sharing policy enforcement
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template's `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55432",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T12:51:04.699684Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T12:51:10.411Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template\u0027s `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator\u0027s configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template\u0027s `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:20:24.264Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-x9qq-2qh5-8rxf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-x9qq-2qh5-8rxf"
            },
            {
              "name": "https://github.com/coder/coder/pull/26061",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26061"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-x9qq-2qh5-8rxf",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s sub-agent app registration bypasses template port-sharing policy enforcement"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55432",
        "datePublished": "2026-07-08T00:20:24.264Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T12:51:10.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55431 (GCVE-0-2026-55431)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:10 – Updated: 2026-07-08 13:57
    VLAI
    Title
    Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55431",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:56:53.370657Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:57:02.059Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user\u0027s real session token before handing the URL to the OS open handler. Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:10:49.165Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-v54h-cp2w-9x4g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-v54h-cp2w-9x4g"
            },
            {
              "name": "https://github.com/coder/coder/pull/26146",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26146"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-v54h-cp2w-9x4g",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s session token leaked to arbitrary hosts via `coder open app` for external workspace apps"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55431",
        "datePublished": "2026-07-08T00:10:49.165Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T13:57:02.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55430 (GCVE-0-2026-55430)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:03 – Updated: 2026-07-08 17:10
    VLAI
    Title
    Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55430",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T16:57:10.249359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T17:10:40.949Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker\u0027s shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:03:29.728Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-5g4w-3vw9-478w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-5g4w-3vw9-478w"
            },
            {
              "name": "https://github.com/coder/coder/pull/26204",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26204"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-5g4w-3vw9-478w",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55430",
        "datePublished": "2026-07-08T00:03:29.728Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T17:10:40.949Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55429 (GCVE-0-2026-55429)

    Vulnerability from cvelistv5 – Published: 2026-07-08 00:00 – Updated: 2026-07-08 14:41
    VLAI
    Title
    Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55429",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:41:33.806014Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:41:39.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app\u0027s `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner\u0027s `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T00:00:33.785Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-9rjw-3gwp-f59v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-9rjw-3gwp-f59v"
            },
            {
              "name": "https://github.com/coder/coder/pull/26103",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26103"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-9rjw-3gwp-f59v",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55429",
        "datePublished": "2026-07-08T00:00:33.785Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T14:41:39.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55428 (GCVE-0-2026-55428)

    Vulnerability from cvelistv5 – Published: 2026-07-07 23:57 – Updated: 2026-07-08 13:11
    VLAI
    Title
    Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent's UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55428",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:10:59.507766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:11:08.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent\u0027s `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent\u0027s UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:57:45.338Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp"
            },
            {
              "name": "https://github.com/coder/coder/pull/26144",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26144"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-wrq8-fcv5-8hvp",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55428",
        "datePublished": "2026-07-07T23:57:45.338Z",
        "dateReserved": "2026-06-16T21:59:57.016Z",
        "dateUpdated": "2026-07-08T13:11:08.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55427 (GCVE-0-2026-55427)

    Vulnerability from cvelistv5 – Published: 2026-07-07 23:55 – Updated: 2026-07-08 13:10
    VLAI
    Title
    Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user's `~/.ssh/config` without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the `HostnameSuffix` and `SSHConfigOptions` settings. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `HostnameSuffix` and `SSHConfigOptions` against a strict character set that rejects newlines and other control characters. As a workaround, inspect `coder config-ssh --dry-run` output before applying changes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55427",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:09:33.858876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:10:01.820Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user\u0027s `~/.ssh/config` without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the `HostnameSuffix` and `SSHConfigOptions` settings. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `HostnameSuffix` and `SSHConfigOptions` against a strict character set that rejects newlines and other control characters. As a workaround, inspect `coder config-ssh --dry-run` output before applying changes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:55:26.240Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-mcqq-fqgf-rxwm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-mcqq-fqgf-rxwm"
            },
            {
              "name": "https://github.com/coder/coder/pull/26154",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26154"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-mcqq-fqgf-rxwm",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55427",
        "datePublished": "2026-07-07T23:55:26.240Z",
        "dateReserved": "2026-06-16T21:48:43.126Z",
        "dateUpdated": "2026-07-08T13:10:01.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55079 (GCVE-0-2026-55079)

    Vulnerability from cvelistv5 – Published: 2026-07-07 23:50 – Updated: 2026-07-08 12:53
    VLAI
    Title
    Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: >= 2.24.0, < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55079",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T12:53:26.878982Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T12:53:41.432Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.24.0, \u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T23:50:37.197Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-f962-qm93-mj4c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-f962-qm93-mj4c"
            },
            {
              "name": "https://github.com/coder/coder/pull/25710",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25710"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-f962-qm93-mj4c",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s unbounded memory allocation in provisioner file upload allows authenticated denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55079",
        "datePublished": "2026-07-07T23:50:37.197Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T12:53:41.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55078 (GCVE-0-2026-55078)

    Vulnerability from cvelistv5 – Published: 2026-07-07 22:47 – Updated: 2026-07-08 13:55
    VLAI
    Title
    Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of `coderd`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: >= 2.17.0, < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55078",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:54:48.796364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:55:16.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.17.0, \u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of `coderd`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:47:07.079Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-2mg2-p7r7-g27f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-2mg2-p7r7-g27f"
            },
            {
              "name": "https://github.com/coder/coder/pull/25877",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25877"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-2mg2-p7r7-g27f",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55078",
        "datePublished": "2026-07-07T22:47:07.079Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T13:55:16.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55077 (GCVE-0-2026-55077)

    Vulnerability from cvelistv5 – Published: 2026-07-07 22:44 – Updated: 2026-07-07 22:44
    VLAI
    Title
    Coder: User-admin role can reset owner account password
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account's password. It also did not require the current password when an admin reset another user's password. Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an account that holds the `owner` role. As a workaround, restrict the `user-admin` role to trusted administrators.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account\u0027s password. It also did not require the current password when an admin reset another user\u0027s password. Exploitation requires the privileged `user-admin` role so practical risk is limited to deployments that grant `user-admin` to less trusted operators. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 prevents non-owner users from resetting the password of an account that holds the `owner` role. As a workaround, restrict the `user-admin` role to trusted administrators."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:44:28.621Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-29xf-69gq-m9jx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-29xf-69gq-m9jx"
            },
            {
              "name": "https://github.com/coder/coder/pull/25709",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25709"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-29xf-69gq-m9jx",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: User-admin role can reset owner account password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55077",
        "datePublished": "2026-07-07T22:44:28.621Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-07T22:44:28.621Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55076 (GCVE-0-2026-55076)

    Vulnerability from cvelistv5 – Published: 2026-07-07 22:23 – Updated: 2026-07-08 14:03
    VLAI
    Title
    Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the string `"false"`) or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 coerces `email_verified` across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-704 - Incorrect Type Conversion or Cast
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55076",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:03:30.696230Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:03:39.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder\u0027s OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the string `\"false\"`) or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 coerces `email_verified` across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject. As a workaround, ensure the IdP returns `email_verified` as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-704",
                  "description": "CWE-704: Incorrect Type Conversion or Cast",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T22:23:26.179Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-75vm-6w67-gwvp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-75vm-6w67-gwvp"
            },
            {
              "name": "https://github.com/coder/coder/pull/25712",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25712"
            },
            {
              "name": "https://github.com/coder/coder/pull/25713",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25713"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-75vm-6w67-gwvp",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s OIDC email_verified type coercion bypass enables account takeover via unverified email linking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55076",
        "datePublished": "2026-07-07T22:23:26.179Z",
        "dateReserved": "2026-06-16T14:33:35.711Z",
        "dateUpdated": "2026-07-08T14:03:39.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55075 (GCVE-0-2026-55075)

    Vulnerability from cvelistv5 – Published: 2026-07-07 21:33 – Updated: 2026-07-08 13:03
    VLAI
    Title
    Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-289 - Authentication Bypass by Alternate Name
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Affected: < 2.29.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:02:51.874018Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:03:16.212Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.29.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder\u0027s OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-289",
                  "description": "CWE-289: Authentication Bypass by Alternate Name",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:33:38.189Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-9r87-mvcw-x35f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-9r87-mvcw-x35f"
            },
            {
              "name": "https://github.com/coder/coder/pull/25712",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25712"
            },
            {
              "name": "https://github.com/coder/coder/pull/25713",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25713"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-9r87-mvcw-x35f",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55075",
        "datePublished": "2026-07-07T21:33:38.189Z",
        "dateReserved": "2026-06-16T14:33:35.710Z",
        "dateUpdated": "2026-07-08T13:03:16.212Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46354 (GCVE-0-2026-46354)

    Vulnerability from cvelistv5 – Published: 2026-07-07 21:10 – Updated: 2026-07-08 13:01
    VLAI
    Title
    Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
    Summary
    Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":"<target>"}` and the forged `vmId` will be accepted returning the victim workspace agent's session token. No authentication is required. The attacker only needs to know a target VM's `vmId` which is a `UUIDv4`. That's a practical limitation which would typically require prior access to be exploited. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, reconfigure any Azure templates to use token authentication rather than `azure-instance-identity`.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.33.0-rc.0, < 2.33.3
    Affected: >= 2.32.0-rc.0, < 2.32.2
    Affected: >= 2.31.0, < 2.31.12
    Affected: >= 2.30.0, < 2.30.8
    Affected: >= 2.29.0, < 2.29.13
    Affected: < 2.24.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46354",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:01:18.394796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:01:25.192Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0-rc.0, \u003c 2.33.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.32.0-rc.0, \u003c 2.32.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.31.0, \u003c 2.31.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.30.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.29.0, \u003c 2.29.13"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.24.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{\"vmId\":\"\u003ctarget\u003e\"}` and the forged `vmId` will be accepted returning the victim workspace agent\u0027s session token. No authentication is required. The attacker only needs to know a target VM\u0027s `vmId` which is a `UUIDv4`. That\u0027s a practical limitation which would typically require prior access to be exploited. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, reconfigure any Azure templates to use token authentication rather than `azure-instance-identity`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:10:01.899Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-6x44-w3xg-hqqf"
            },
            {
              "name": "https://github.com/coder/coder/pull/25286",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25286"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.24.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.24.5"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.13"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.30.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.30.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.31.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.31.12"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.2"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.3"
            }
          ],
          "source": {
            "advisory": "GHSA-6x44-w3xg-hqqf",
            "discovery": "UNKNOWN"
          },
          "title": "Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46354",
        "datePublished": "2026-07-07T21:10:01.899Z",
        "dateReserved": "2026-05-13T18:37:30.991Z",
        "dateUpdated": "2026-07-08T13:01:25.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45796 (GCVE-0-2026-45796)

    Vulnerability from cvelistv5 – Published: 2026-07-07 21:03 – Updated: 2026-07-08 13:53
    VLAI
    Title
    Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target's response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, if the Azure identity-auth mechanism is not being used then restrict access to the corresponding endpoint (`/api/v2/workspaceagents/azure-instance-identity`) using ingress firewall and/or proxy ACLs.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.33.0-rc.0, < 2.33.3
    Affected: >= 2.32.0-rc.0, < 2.32.2
    Affected: >= 2.31.0, < 2.31.12
    Affected: >= 2.30.0, < 2.30.8
    Affected: >= 2.29.0, < 2.29.13
    Affected: < 2.24.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45796",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:53:31.695518Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:53:41.602Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0-rc.0, \u003c 2.33.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.32.0-rc.0, \u003c 2.32.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.31.0, \u003c 2.31.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.30.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.29.0, \u003c 2.29.13"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.24.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target\u0027s response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, if the Azure identity-auth mechanism is not being used then restrict access to the corresponding endpoint (`/api/v2/workspaceagents/azure-instance-identity`) using ingress firewall and/or proxy ACLs."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:04:47.963Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-686c-7vgv-v3fx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-686c-7vgv-v3fx"
            },
            {
              "name": "https://github.com/coder/coder/pull/25274",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/25274"
            },
            {
              "name": "https://github.com/coder/coder/commit/57b11d405f17492aa789d4b9ff33366f961a37f8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/57b11d405f17492aa789d4b9ff33366f961a37f8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.24.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.24.5"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.13"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.30.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.30.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.31.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.31.12"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.2"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.3"
            }
          ],
          "source": {
            "advisory": "GHSA-686c-7vgv-v3fx",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45796",
        "datePublished": "2026-07-07T21:03:11.066Z",
        "dateReserved": "2026-05-13T08:19:32.603Z",
        "dateUpdated": "2026-07-08T13:53:41.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44454 (GCVE-0-2026-44454)

    Vulnerability from cvelistv5 – Published: 2026-07-07 20:16 – Updated: 2026-07-08 13:48
    VLAI
    Title
    Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted `dotfiles_uri` value (for example, one containing shell command substitution such as `$(...)`) could achieve command execution in their own workspace. The Create Workspace page's `mode=auto` deep links amplified this into a one-click attack: an attacker could craft a URL that prefilled `param.dotfiles_uri` and silently provisioned a workspace with the attacker-controlled value, with no explicit user confirmation. In versions 2.29.7 and 2.30.2, input validation was added to the dotfiles module to reject URIs and usernames containing special characters, and the unsafe `eval`/`sh -c` usage was removed. This eliminated the command injection at its source.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: < 2.29.7
    Affected: >= 2.30.0, < 2.30.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44454",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:47:43.261401Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:48:00.841Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.29.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.30.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted `dotfiles_uri` value (for example, one containing shell command substitution such as `$(...)`) could achieve command execution in their own workspace. The Create Workspace page\u0027s `mode=auto` deep links amplified this into a one-click attack: an attacker could craft a URL that prefilled `param.dotfiles_uri` and silently provisioned a workspace with the attacker-controlled value, with no explicit user confirmation. In versions 2.29.7 and 2.30.2, input validation was added to the dotfiles module to reject URIs and usernames containing special characters, and the unsafe `eval`/`sh -c` usage was removed. This eliminated the command injection at its source."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:06:20.237Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-m3cr-vc2j-pm27",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-m3cr-vc2j-pm27"
            },
            {
              "name": "https://github.com/coder/coder/pull/22011",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/22011"
            },
            {
              "name": "https://github.com/coder/registry/pull/703",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/registry/pull/703"
            },
            {
              "name": "https://github.com/coder/coder/commit/60e3ab7632f42415d283b9fd5622ee53a4639ceb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/60e3ab7632f42415d283b9fd5622ee53a4639ceb"
            },
            {
              "name": "https://github.com/coder/registry/commit/8e68c96633f65a1babd76a93b6923e3deead4a82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/registry/commit/8e68c96633f65a1babd76a93b6923e3deead4a82"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.29.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.29.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.30.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.30.2"
            }
          ],
          "source": {
            "advisory": "GHSA-m3cr-vc2j-pm27",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44454",
        "datePublished": "2026-07-07T20:16:39.161Z",
        "dateReserved": "2026-05-06T15:49:25.192Z",
        "dateUpdated": "2026-07-08T13:48:00.841Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55434 (GCVE-0-2026-55434)

    Vulnerability from cvelistv5 – Published: 2026-07-07 20:14 – Updated: 2026-07-08 14:15
    VLAI
    Title
    Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with `io.ReadAll` without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Exploitation requires authenticated access to the AI Bridge endpoints and the impact is limited to availability (denial of service). Versions 2.33.8 and 2.34.2 patch the issue. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55434",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T14:15:03.906169Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T14:15:15.446Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with `io.ReadAll` without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Exploitation requires authenticated access to the AI Bridge endpoints and the impact is limited to availability (denial of service). Versions 2.33.8 and 2.34.2 patch the issue. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T20:14:00.531Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-f5vp-w269-392g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-f5vp-w269-392g"
            },
            {
              "name": "https://github.com/coder/coder/pull/26164",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26164"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-f5vp-w269-392g",
            "discovery": "UNKNOWN"
          },
          "title": "Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55434",
        "datePublished": "2026-07-07T20:14:00.531Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-08T14:15:15.446Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55435 (GCVE-0-2026-55435)

    Vulnerability from cvelistv5 – Published: 2026-07-07 17:37 – Updated: 2026-07-07 17:37
    VLAI
    Title
    Suspended Coder users retain access to AI Bridge LLM proxy endpoints
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.34.0, < 2.34.2
    Affected: >= 2.33.0, < 2.33.8
    Affected: >= 2.30.0, < 2.32.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.34.0, \u003c 2.34.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.33.0, \u003c 2.33.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.30.0, \u003c 2.32.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user\u0027s unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user\u0027s API keys via `DELETE /api/v2/users/{user}/keys`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T17:37:31.211Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-wqxv-w64v-5wh6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-wqxv-w64v-5wh6"
            },
            {
              "name": "https://github.com/coder/coder/pull/26164",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26164"
            },
            {
              "name": "https://github.com/coder/coder/pull/26173",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/26173"
            },
            {
              "name": "https://github.com/coder/coder/commit/0d2c9f904a8b75b888140fcc8fbf4633660cc787",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/0d2c9f904a8b75b888140fcc8fbf4633660cc787"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.32.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.33.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.34.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
            }
          ],
          "source": {
            "advisory": "GHSA-wqxv-w64v-5wh6",
            "discovery": "UNKNOWN"
          },
          "title": "Suspended Coder users retain access to AI Bridge LLM proxy endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55435",
        "datePublished": "2026-07-07T17:37:31.211Z",
        "dateReserved": "2026-06-16T21:59:57.017Z",
        "dateUpdated": "2026-07-07T17:37:31.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35454 (GCVE-0-2026-35454)

    Vulnerability from cvelistv5 – Published: 2026-04-06 21:51 – Updated: 2026-04-07 15:08
    VLAI
    Title
    Code Extension Marketplace has a Zip Slip Path Traversal
    Summary
    The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    coder code-marketplace Affected: < 2.4.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35454",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T14:35:14.881298Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:08:45.865Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "code-marketplace",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-06T21:51:53.048Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h"
            },
            {
              "name": "https://github.com/coder/code-marketplace/releases/tag/v2.4.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/code-marketplace/releases/tag/v2.4.2"
            }
          ],
          "source": {
            "advisory": "GHSA-8x9r-hvwg-c55h",
            "discovery": "UNKNOWN"
          },
          "title": "Code Extension Marketplace has a Zip Slip Path Traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35454",
        "datePublished": "2026-04-06T21:51:53.048Z",
        "dateReserved": "2026-04-02T19:25:52.193Z",
        "dateUpdated": "2026-04-07T15:08:45.865Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66411 (GCVE-0-2025-66411)

    Vulnerability from cvelistv5 – Published: 2025-12-03 19:25 – Updated: 2025-12-03 21:42
    VLAI
    Title
    Coder logged sensitive objects unsanitized
    Summary
    Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.28.0, < 2.28.4
    Affected: >= 2.27.0, < 2.27.7
    Affected: < 2.26.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66411",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T21:41:56.452426Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T21:42:17.349Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.28.0, \u003c 2.28.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.27.0, \u003c 2.27.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.26.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-03T19:25:24.207Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74"
            },
            {
              "name": "https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.26.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.26.5"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.27.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.27.7"
            },
            {
              "name": "https://github.com/coder/coder/releases/tag/v2.28.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/releases/tag/v2.28.4"
            }
          ],
          "source": {
            "advisory": "GHSA-jf75-p25m-pw74",
            "discovery": "UNKNOWN"
          },
          "title": "Coder logged sensitive objects unsanitized"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66411",
        "datePublished": "2025-12-03T19:25:24.207Z",
        "dateReserved": "2025-11-28T23:33:56.366Z",
        "dateUpdated": "2025-12-03T21:42:17.349Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59956 (GCVE-0-2025-59956)

    Vulnerability from cvelistv5 – Published: 2025-09-29 23:57 – Updated: 2025-09-30 14:14
    VLAI
    Title
    AgentAPI exposed user chat history via a DNS rebinding attack
    Summary
    AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. This allows for the unauthorized exfiltration of sensitive user data, specifically local message history, which can include secret keys, file system contents, and intellectual property the user was working on locally. This issue is fixed in version 0.4.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
    Assigner
    Impacted products
    Vendor Product Version
    coder agentapi Affected: < 0.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59956",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-30T14:14:39.407205Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-30T14:14:53.214Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://mcpsec.dev/advisories/2025-09-19-coder-chat-exfiltration/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "agentapi",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. This allows for the unauthorized exfiltration of sensitive user data, specifically local message history, which can include secret keys, file system contents, and intellectual property the user was working on locally. This issue is fixed in version 0.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-350",
                  "description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-29T23:57:08.133Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/agentapi/security/advisories/GHSA-w64r-2g3w-w8w4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/agentapi/security/advisories/GHSA-w64r-2g3w-w8w4"
            },
            {
              "name": "https://github.com/coder/agentapi/pull/49",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/agentapi/pull/49"
            },
            {
              "name": "https://github.com/coder/agentapi/commit/5c425c62447b8a9eac19e9fc5a2eae7f0803f149",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/agentapi/commit/5c425c62447b8a9eac19e9fc5a2eae7f0803f149"
            },
            {
              "name": "https://github.blog/security/application-security/localhost-dangers-cors-and-dns-rebinding",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.blog/security/application-security/localhost-dangers-cors-and-dns-rebinding"
            },
            {
              "name": "https://github.com/coder/agentapi/releases/tag/v0.4.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/agentapi/releases/tag/v0.4.0"
            },
            {
              "name": "https://mcpsec.dev/advisories/2025-09-19-coder-chat-exfiltration",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mcpsec.dev/advisories/2025-09-19-coder-chat-exfiltration"
            }
          ],
          "source": {
            "advisory": "GHSA-w64r-2g3w-w8w4",
            "discovery": "UNKNOWN"
          },
          "title": "AgentAPI exposed user chat history via a DNS rebinding attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-59956",
        "datePublished": "2025-09-29T23:57:08.133Z",
        "dateReserved": "2025-09-23T14:33:49.506Z",
        "dateUpdated": "2025-09-30T14:14:53.214Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-58437 (GCVE-0-2025-58437)

    Vulnerability from cvelistv5 – Published: 2025-09-06 02:30 – Updated: 2025-09-08 16:45
    VLAI
    Title
    Coder's privilege escalation vulnerability could lead to a cross workspace compromise
    Summary
    Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via coder_workspace_owner.session_token. Prebuilt workspaces are initially owned by a built-in prebuilds system user. When a prebuilt workspace is claimed, a new session token is generated for the user that claimed the workspace, but the previous session token for the prebuilds user was not expired. Any Coder workspace templates that persist this automatically generated session token are potentially impacted. This is fixed in versions 2.24.4 and 2.25.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    • CWE-279 - Incorrect Execution-Assigned Permissions
    • CWE-277 - Insecure Inherited Permissions
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.22.0, < 2.24.4
    Affected: >= 2.25.0, < 2.25.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58437",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T16:45:07.417468Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T16:45:15.915Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.22.0, \u003c 2.24.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.25.0, \u003c 2.25.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0  and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via coder_workspace_owner.session_token. Prebuilt workspaces are initially owned by a built-in prebuilds system user. When a prebuilt workspace is claimed, a new session token is generated for the user that claimed the workspace, but the previous session token for the prebuilds user was not expired. Any Coder workspace templates that persist this automatically generated session token are potentially impacted. This is fixed in versions 2.24.4 and 2.25.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-279",
                  "description": "CWE-279: Incorrect Execution-Assigned Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-277",
                  "description": "CWE-277: Insecure Inherited Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-06T02:30:08.378Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-j6xf-jwrj-v5qp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-j6xf-jwrj-v5qp"
            },
            {
              "name": "https://github.com/coder/coder/pull/19667",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/19667"
            },
            {
              "name": "https://github.com/coder/coder/pull/19668",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/19668"
            },
            {
              "name": "https://github.com/coder/coder/pull/19669",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/pull/19669"
            },
            {
              "name": "https://github.com/coder/coder/commit/06cbb2890f453cd522bb2158a6549afa3419c276",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/06cbb2890f453cd522bb2158a6549afa3419c276"
            },
            {
              "name": "https://github.com/coder/coder/commit/20d67d7d7191a4fd5d36a61c6fc1e23ab59befc0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/20d67d7d7191a4fd5d36a61c6fc1e23ab59befc0"
            },
            {
              "name": "https://github.com/coder/coder/commit/ec660907faa0b0eae20fa2ba58ce1733f5f4b35a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/ec660907faa0b0eae20fa2ba58ce1733f5f4b35a"
            }
          ],
          "source": {
            "advisory": "GHSA-j6xf-jwrj-v5qp",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s privilege escalation vulnerability could lead to a cross workspace compromise"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-58437",
        "datePublished": "2025-09-06T02:30:08.378Z",
        "dateReserved": "2025-09-01T20:03:06.532Z",
        "dateUpdated": "2025-09-08T16:45:15.915Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-47269 (GCVE-0-2025-47269)

    Vulnerability from cvelistv5 – Published: 2025-05-09 20:59 – Updated: 2025-05-10 01:45
    VLAI
    Title
    code-server session cookie can be extracted by having user visit specially crafted proxy URL
    Summary
    code-server runs VS Code on any machine anywhere through browser access. Prior to version 4.99.4, a maliciously crafted URL using the proxy subpath can result in the attacker gaining access to the session token. Failure to properly validate the port for a proxy request can result in proxying to an arbitrary domain. The malicious URL `https://<code-server>/proxy/test@evil.com/path` would be proxied to `test@evil.com/path` where the attacker could exfiltrate a user's session token. Any user who runs code-server with the built-in proxy enabled and clicks on maliciously crafted links that go to their code-server instances with reference to /proxy. Normally this is used to proxy local ports, however the URL can reference the attacker's domain instead, and the connection is then proxied to that domain, which will include sending cookies. With access to the session cookie, the attacker can then log into code-server and have full access to the machine hosting code-server as the user running code-server. This issue has been patched in version 4.99.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    Assigner
    Impacted products
    Vendor Product Version
    coder code-server Affected: < 4.99.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47269",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-10T01:44:34.818502Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-10T01:45:13.443Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "code-server",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.99.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "code-server runs VS Code on any machine anywhere through browser access. Prior to version 4.99.4, a maliciously crafted URL using the proxy subpath can result in the attacker gaining access to the session token. Failure to properly validate the port for a proxy request can result in proxying to an arbitrary domain. The malicious URL `https://\u003ccode-server\u003e/proxy/test@evil.com/path` would be proxied to `test@evil.com/path` where the attacker could exfiltrate a user\u0027s session token. Any user who runs code-server with the built-in proxy enabled and clicks on maliciously crafted links that go to their code-server instances with reference to /proxy. Normally this is used to proxy local ports, however the URL can reference the attacker\u0027s domain instead, and the connection is then proxied to that domain, which will include sending cookies. With access to the session cookie, the attacker can then log into code-server and have full access to the machine hosting code-server as the user running code-server. This issue has been patched in version 4.99.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-09T20:59:01.510Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/code-server/security/advisories/GHSA-p483-wpfp-42cj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/code-server/security/advisories/GHSA-p483-wpfp-42cj"
            },
            {
              "name": "https://github.com/coder/code-server/commit/47d6d3ada5aadef6d221f3d612401eb3dad9299e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/code-server/commit/47d6d3ada5aadef6d221f3d612401eb3dad9299e"
            },
            {
              "name": "https://github.com/coder/code-server/releases/tag/v4.99.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/code-server/releases/tag/v4.99.4"
            }
          ],
          "source": {
            "advisory": "GHSA-p483-wpfp-42cj",
            "discovery": "UNKNOWN"
          },
          "title": "code-server session cookie can be extracted by having user visit specially crafted proxy URL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47269",
        "datePublished": "2025-05-09T20:59:01.510Z",
        "dateReserved": "2025-05-05T16:53:10.371Z",
        "dateUpdated": "2025-05-10T01:45:13.443Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27918 (GCVE-0-2024-27918)

    Vulnerability from cvelistv5 – Published: 2024-03-06 20:25 – Updated: 2024-08-05 18:06
    VLAI
    Title
    Coder's OIDC authentication allows email with partially matching domain to register
    Summary
    Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user's email was improperly validated against the allowed `CODER_OIDC_EMAIL_DOMAIN`s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider. Coder instances with OIDC enabled and protected by the `CODER_OIDC_EMAIL_DOMAIN` configuration are affected. Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider. Public OIDC providers are impacted. GitHub authentication and external authentication are not impacted. This vulnerability is remedied in versions 2.8.4, 2.7.3, and 2.6.1 All versions prior to these patches are affected by the vulnerability.*It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the `CODER_OIDC_EMAIL_DOMAIN` setting.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    coder coder Affected: >= 2.8.0, < 2.8.4
    Affected: >= 2.7.0, < 2.7.3
    Affected: < 2.6.1
    Create a notification for this product.
    coder coder Affected: 0 , < 2.6.1 (custom)
        cpe:2.3:a:coder:coder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    coder coder Affected: 2.7.0 , < 2.7.3 (custom)
        cpe:2.3:a:coder:coder:2.7.0:*:*:*:*:*:*:*
    Create a notification for this product.
    coder coder Affected: 2.8.0 , < 2.8.4 (custom)
        cpe:2.3:a:coder:coder:2.8.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:41:55.716Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf"
              },
              {
                "name": "https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0"
              },
              {
                "name": "https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31"
              },
              {
                "name": "https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb"
              },
              {
                "name": "https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:coder:coder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "coder",
                "vendor": "coder",
                "versions": [
                  {
                    "lessThan": "2.6.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:coder:coder:2.7.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "coder",
                "vendor": "coder",
                "versions": [
                  {
                    "lessThan": "2.7.3",
                    "status": "affected",
                    "version": "2.7.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:coder:coder:2.8.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "coder",
                "vendor": "coder",
                "versions": [
                  {
                    "lessThan": "2.8.4",
                    "status": "affected",
                    "version": "2.8.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27918",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-05T17:35:12.740858Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-05T18:06:33.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "coder",
              "vendor": "coder",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.8.0, \u003c 2.8.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.7.0, \u003c 2.7.3"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.6.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder\u0027s OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user\u0027s email was improperly validated against the allowed `CODER_OIDC_EMAIL_DOMAIN`s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider.\n\nCoder instances with OIDC enabled and protected by the `CODER_OIDC_EMAIL_DOMAIN` configuration are affected. Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider. Public OIDC providers are impacted. GitHub authentication and external authentication are not impacted. This vulnerability is remedied in versions 2.8.4, 2.7.3, and 2.6.1 All versions prior to these patches are affected by the vulnerability.*It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the `CODER_OIDC_EMAIL_DOMAIN` setting."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-06T20:25:24.601Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf"
            },
            {
              "name": "https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0"
            },
            {
              "name": "https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31"
            },
            {
              "name": "https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb"
            },
            {
              "name": "https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c"
            }
          ],
          "source": {
            "advisory": "GHSA-7cc2-r658-7xpf",
            "discovery": "UNKNOWN"
          },
          "title": "Coder\u0027s OIDC authentication allows email with partially matching domain to register"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-27918",
        "datePublished": "2024-03-06T20:25:24.601Z",
        "dateReserved": "2024-02-28T15:14:14.213Z",
        "dateUpdated": "2024-08-05T18:06:33.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-26114 (GCVE-0-2023-26114)

    Vulnerability from cvelistv5 – Published: 2023-03-23 05:00 – Updated: 2025-02-25 19:30
    VLAI
    Summary
    Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1385 - Missing Origin Validation in WebSockets
    • CWE-346 - Origin Validation Error
    Assigner
    Impacted products
    Vendor Product Version
    n/a code-server Affected: 0 , < 4.10.1 (semver)
    Credits
    Elliot W - Snyk Research Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:39:06.583Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/coder/code-server/releases/tag/v4.10.1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.3,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-26114",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T19:30:03.634202Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-346",
                    "description": "CWE-346 Origin Validation Error",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T19:30:08.466Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "code-server",
              "vendor": "n/a",
              "versions": [
                {
                  "lessThan": "4.10.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Elliot W - Snyk Research Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L/E:P",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1385",
                  "description": "Missing Origin Validation in WebSockets",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-23T05:00:01.220Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148"
            },
            {
              "url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7"
            },
            {
              "url": "https://github.com/coder/code-server/releases/tag/v4.10.1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2023-26114",
        "datePublished": "2023-03-23T05:00:01.220Z",
        "dateReserved": "2023-02-20T10:28:48.922Z",
        "dateUpdated": "2025-02-25T19:30:08.466Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-42648 (GCVE-0-2021-42648)

    Vulnerability from cvelistv5 – Published: 2022-05-11 17:34 – Updated: 2024-08-04 03:38
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability exists in Coder Code-Server before 3.12.0, allows attackers to execute arbitrary code via crafted URL.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:38:49.525Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cdr/code-server/issues/4355"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability exists in Coder Code-Server before 3.12.0, allows attackers to execute arbitrary code via crafted URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-11T17:34:38.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cdr/code-server/issues/4355"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-42648",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability exists in Coder Code-Server before 3.12.0, allows attackers to execute arbitrary code via crafted URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cdr/code-server/issues/4355",
                  "refsource": "MISC",
                  "url": "https://github.com/cdr/code-server/issues/4355"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-42648",
        "datePublished": "2022-05-11T17:34:38.000Z",
        "dateReserved": "2021-10-18T00:00:00.000Z",
        "dateUpdated": "2024-08-04T03:38:49.525Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3810 (GCVE-0-2021-3810)

    Vulnerability from cvelistv5 – Published: 2021-09-17 06:15 – Updated: 2024-08-03 17:09
    VLAI
    Title
    Inefficient Regular Expression Complexity in cdr/code-server
    Summary
    code-server is vulnerable to Inefficient Regular Expression Complexity
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    References
    Impacted products
    Vendor Product Version
    cdr cdr/code-server Affected: unspecified , < 3.12.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.471Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/38888513-30fc-4d8f-805d-34070d60e223"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cdr/code-server/commit/ca617df135e78833f93c8320cb2d2cf8bba809f5"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "cdr/code-server",
              "vendor": "cdr",
              "versions": [
                {
                  "lessThan": "3.12.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "code-server is vulnerable to Inefficient Regular Expression Complexity"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333 Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-17T06:15:24.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/38888513-30fc-4d8f-805d-34070d60e223"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cdr/code-server/commit/ca617df135e78833f93c8320cb2d2cf8bba809f5"
            }
          ],
          "source": {
            "advisory": "38888513-30fc-4d8f-805d-34070d60e223",
            "discovery": "EXTERNAL"
          },
          "title": "Inefficient Regular Expression Complexity in cdr/code-server",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2021-3810",
              "STATE": "PUBLIC",
              "TITLE": "Inefficient Regular Expression Complexity in cdr/code-server"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "cdr/code-server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.12.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "cdr"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "code-server is vulnerable to Inefficient Regular Expression Complexity"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-1333 Inefficient Regular Expression Complexity"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/38888513-30fc-4d8f-805d-34070d60e223",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/38888513-30fc-4d8f-805d-34070d60e223"
                },
                {
                  "name": "https://github.com/cdr/code-server/commit/ca617df135e78833f93c8320cb2d2cf8bba809f5",
                  "refsource": "MISC",
                  "url": "https://github.com/cdr/code-server/commit/ca617df135e78833f93c8320cb2d2cf8bba809f5"
                }
              ]
            },
            "source": {
              "advisory": "38888513-30fc-4d8f-805d-34070d60e223",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2021-3810",
        "datePublished": "2021-09-17T06:15:24.000Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:09.471Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }