CVE-2026-55433

Summary

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit ActionUpdate authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.

Affected Software

VendorProductVersion RangeStatus
codercoder>= 2.34.0, < 2.34.2affected
codercoder>= 2.33.0, < 2.33.8affected
codercoder>= 2.30.0, < 2.32.7affected
codercoder< 2.29.17affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

References