CVE-2026-55428
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each AllowedIPs prefix against the authenticating agent's UUID just like Addresses. As a workaround, monitor coordinator logs for agents advertising unexpected AllowedIPs prefixes.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| coder | coder | >= 2.34.0, < 2.34.2 | affected |
| coder | coder | >= 2.33.0, < 2.33.8 | affected |
| coder | coder | >= 2.30.0, < 2.32.7 | affected |
| coder | coder | < 2.29.17 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
- CWE-863: CWE-863: Incorrect Authorization
References
- https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp
- https://github.com/coder/coder/pull/26144
- https://github.com/coder/coder/releases/tag/v2.29.17
- https://github.com/coder/coder/releases/tag/v2.32.7
- https://github.com/coder/coder/releases/tag/v2.33.8
- https://github.com/coder/coder/releases/tag/v2.34.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.