Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Network-reachable endpoint requires only a low-privilege authenticated account; scope unchanged with no confidentiality impact, only limited integrity and availability loss.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Summary
The devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild.
> Note: Exploitation requires an existing low-privilege role with access to the target workspace.
Impact
Any authenticated principal with read-only workspace access, such as a Template Admin or Org Template Admin, could recreate a devcontainer, destroying uncommitted in-container state and, if called repeatedly, denying service. This is an authorization bypass leading to data loss and denial of service.
Patches
The fix adds an explicit ActionUpdate authorization check before the agent is dialed like the delete endpoint.
The fix was backported to all supported release lines:
Workarounds
None.
Resources
- Fix: #25812
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22454) for independently disclosing this issue!
AnalysisAI
Authorization bypass in the Coder devcontainer recreate endpoint allows any authenticated user holding only read-level workspace access - such as Template Admin or Org Template Admin roles - to trigger a destructive container rebuild that destroys uncommitted in-container state. Unlike the sibling delete endpoint, which correctly enforces an ActionUpdate check, the recreate endpoint relied solely on route middleware verifying ActionRead, leaving the destructive operation unguarded against lower-privileged principals. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an existing authenticated account within the Coder instance that holds a role granting ActionRead on the target workspace - the advisory explicitly names Template Admin and Org Template Admin as affected roles. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L is consistent with the described vulnerability: network-accessible, low complexity, requires a pre-existing low-privilege account, no user interaction, and impacts only integrity and availability - no confidentiality exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker authenticated to a Coder instance with a Template Admin role - which grants ActionRead on workspaces - identifies a target developer workspace containing uncommitted work. The attacker sends a POST request to the devcontainer recreate endpoint for that workspace; the route middleware passes the ActionRead check and no further authorization is enforced, triggering a full container rebuild that destroys the developer's uncommitted in-container state. … |
| Remediation | Upgrade Coder to a patched version appropriate to your release line: v2.34.2 for the 2.34 line, v2.33.8 for the 2.33 line, v2.32.7 for the 2.32 line, or v2.29.17 for the 2.29 ESR line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42148
GHSA-jqj2-x4c5-jfxm