Skip to main content

Coder CVE-2026-55430

| EUVDEUVD-2026-42136 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-07-06 https://github.com/coder/coder GHSA-5g4w-3vw9-478w
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
vuln.today AI
5.8 MEDIUM

Requires network access but stacked conditions (subdomain routing, no proxy stripping, victim interaction) justify AC:H; attacker needs a shared app account (PR:L); scope changes as routing crosses user-app trust boundaries.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 08, 2026 - 19:52 NVD
5.8 (MEDIUM) 6.8 (MEDIUM)
CVSS changed
Jul 08, 2026 - 19:52 NVD
5.8 (MEDIUM) 6.8 (MEDIUM)
Analysis Generated
Jul 06, 2026 - 22:21 vuln.today

DescriptionNVD

Summary

The workspace app proxy resolves the target app from httpapi.RequestHost() which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch() calls.

> Note: Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip X-Forwarded-Host.

Impact

App session cookies are scoped to the wildcard parent domain so the browser attaches them to any app subdomain. An attacker who controls a shared workspace app can serve JavaScript that sends same-site requests with a forged X-Forwarded-Host pointing at a victim's private app. The server routes by the attacker-controlled header but authorizes with the victim's cookie which lets the attacker read the victim's private app responses. Subdomain app routing must be enabled and no upstream proxy may strip X-Forwarded-Host.

Patches

The fix trusts X-Forwarded-Host only from configured trusted proxies and otherwise resolves the routing host from the verified request host.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

Place an upstream reverse proxy that strips or overwrites X-Forwarded-Host on untrusted requests.

Resources

  • Fix: #26204

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22435) for independently disclosing this issue!

AnalysisAI

Cross-boundary information disclosure in Coder's workspace app proxy allows an attacker who controls a shared workspace app to read a victim user's private app responses by forging the X-Forwarded-Host header. The proxy trusts this client-supplied header for routing decisions while simultaneously authorizing the request with the victim's own session cookie - which the browser attaches to any subdomain because cookies are scoped to the wildcard parent domain - enabling the attacker to steer responses from private apps back through their own JavaScript. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker publishes shared Coder app with malicious fetch() script
Delivery
Victim navigates to attacker's shared app while authenticated
Exploit
JavaScript sets X-Forwarded-Host to victim's private app subdomain
Execution
Coder proxy routes request to victim's private app via forged header
Persist
Wildcard-scoped session cookie authorizes the proxied request as victim
Impact
Private app response returned to attacker's JavaScript

Vulnerability AssessmentAI

Exploitation Subdomain app routing must be explicitly enabled in the Coder deployment (wildcard hostname configuration) - without this, the cookie-scoping and header-routing preconditions do not exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 5.8 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N) accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a Coder account publishes a shared workspace app containing JavaScript that issues a fetch() call to the Coder proxy with a forged X-Forwarded-Host header naming the victim's private app subdomain. When an authenticated victim browses to the attacker's shared app, the browser automatically attaches the wildcard-scoped session cookie; Coder's proxy routes the request to the victim's private app based on the forged header but authorizes it against the victim's cookie, returning the private app's response body to the attacker's script. …
Remediation The primary fix is to upgrade to a patched release: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (ESR), all available at https://github.com/coder/coder/releases. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy