CVE-2026-55433
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Summary
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit ActionUpdate authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| coder | coder | >= 2.34.0, < 2.34.2 | affected |
| coder | coder | >= 2.33.0, < 2.33.8 | affected |
| coder | coder | >= 2.30.0, < 2.32.7 | affected |
| coder | coder | < 2.29.17 | affected |
Weaknesses
- CWE-862: CWE-862: Missing Authorization
References
- https://github.com/coder/coder/security/advisories/GHSA-jqj2-x4c5-jfxm
- https://github.com/coder/coder/pull/25812
- https://github.com/coder/coder/releases/tag/v2.29.17
- https://github.com/coder/coder/releases/tag/v2.32.7
- https://github.com/coder/coder/releases/tag/v2.33.8
- https://github.com/coder/coder/releases/tag/v2.34.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.