CVE-2026-55428

Summary

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each AllowedIPs prefix against the authenticating agent's UUID just like Addresses. As a workaround, monitor coordinator logs for agents advertising unexpected AllowedIPs prefixes.

Affected Software

VendorProductVersion RangeStatus
codercoder>= 2.34.0, < 2.34.2affected
codercoder>= 2.33.0, < 2.33.8affected
codercoder>= 2.30.0, < 2.32.7affected
codercoder< 2.29.17affected

Weaknesses

  • CWE-285: CWE-285: Improper Authorization
  • CWE-863: CWE-863: Incorrect Authorization

References