Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Network API reachable (AV:N/AC:L) but attacker must be a template author or provisioner operator (PR:H); rebinding another user's workspace crosses an authz boundary (S:C) yielding traffic interception (C:H/I:H), with no availability loss (A:N).
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Summary
UpsertWorkspaceApp overwrites an existing app's agent_id on a primary-key conflict and insertAgentApp accepts the app ID from the provisioner's CompleteJob payload without verifying it belongs to the workspace being built. CompleteJob runs under dbauthz.AsProvisionerd so the authorization layer does not block the cross-workspace upsert.
> Note: Exploitation requires elevated access as a template author or external provisioner operator.
Impact
A user with template authorship or external provisioner access can submit a CompleteJob payload with a known victim app UUID and an attacker-controlled agent ID. On completion of the attacker's build the victim's app row is rebound to the attacker's agent so later app traffic such as IDE and terminal sessions is proxied to the attacker's workspace. App UUIDs are discoverable through the public API.
Patches
The fix verifies that any existing workspace_apps row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment.
The fix was backported to all supported release lines:
Workarounds
None. Upgrading is required.
Resources
- Fix: #26103
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22441) for independently disclosing this issue!
AnalysisAI
Cross-workspace agent hijacking in Coder (self-hosted cloud development environment platform) lets a user with template-authorship or external-provisioner privileges rebind another user's workspace app to an attacker-controlled agent. By submitting a crafted CompleteJob payload referencing a known victim app UUID, the attacker causes later app traffic - including IDE and terminal sessions - to be proxied through their own workspace, enabling interception. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires elevated Coder access - specifically template-authorship rights or control of an external provisioner - because the malicious app-to-agent rebinding is smuggled through the provisioner's CompleteJob payload, which runs under the dbauthz.AsProvisionerd context. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N, base 8.7 reflecting the scope-changed high confidentiality/integrity impact) is internally consistent with the description: network-reachable API, low complexity, but high privileges required (PR:H) because the attacker must already be a template author or external provisioner operator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds template-author rights (or operates an external provisioner) enumerates a victim's workspace app UUID via the public API, then triggers a build of their own workspace whose CompleteJob payload references that victim UUID paired with the attacker's own agent ID. On build completion the victim's app row is rebound, and the victim's subsequent IDE and terminal sessions are proxied through the attacker's workspace, allowing interception. … |
| Remediation | Upgrade to a patched build for your release line: Vendor-released patch v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (2.29 ESR), per the coder/coder advisory GHSA-9rjw-3gwp-f59v and PR #26103, which adds verification that any existing workspace_apps row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Coder instances to identify users with template-authorship or external-provisioner privileges; review workspace agent binding logs for unauthorized rebinding activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42135
GHSA-9rjw-3gwp-f59v