Coder CVE-2026-55428
HIGHSeverity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
PR:L for an authenticated workspace owner and AC:H for needing a modified agent that correctly claims the victim's prefix; S:C as another agent's traffic is compromised, C:H/I:H from interception and spoofing, A:N.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Summary
The tailnet coordinator validates that an agent's Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration.
Impact
A malicious workspace agent can advertise arbitrary AllowedIPs prefixes including another agent's tailnet address. Coder's ServerTailnet routes to agents by tailnet IP so an agent that claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. Exploitation requires an authenticated user with a running workspace and a modified agent binary.
Patches
The fix validates each AllowedIPs prefix against the authenticating agent's UUID just like Addresses.
The fix was backported to all supported release lines:
Workarounds
Operators who cannot upgrade immediately should monitor coordinator logs for agents advertising unexpected AllowedIPs prefixes.
Resources
- Fix: #26144
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22451) for independently disclosing this issue!
AnalysisAI
Traffic interception in Coder's tailnet coordinator allows a malicious workspace agent to hijack another agent's tailnet address by advertising forged WireGuard AllowedIPs prefixes. The coordinator authorizes an agent's Addresses against its authenticated UUID but performs no equivalent check on AllowedIPs, which it forwards verbatim to tunnel peers; because ServerTailnet routes by tailnet IP, an attacker who claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Coder user (PR:L) who owns a running workspace and replaces the standard workspace agent with a modified binary that advertises attacker-chosen WireGuard AllowedIPs prefixes overlapping a victim agent's tailnet address. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals paint a credible but conditional threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a shared Coder deployment provisions a workspace and replaces its agent with a modified binary that advertises AllowedIPs containing a colleague's workspace tailnet prefix. The coordinator forwards the forged prefix to tunnel peers, causing web terminal and workspace app traffic destined for the victim to be routed to the attacker, who serves spoofed content or captures the session. … |
| Remediation | Vendor-released patch: upgrade to the fixed release for your line - v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (ESR) - which adds validation of each AllowedIPs prefix against the authenticating agent's UUID, matching the existing Addresses check. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Coder deployments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wrq8-fcv5-8hvp