Skip to main content

Coder CVE-2026-55433

| EUVDEUVD-2026-42148 MEDIUM
Missing Authorization (CWE-862)
2026-07-06 https://github.com/coder/coder GHSA-jqj2-x4c5-jfxm
5.4
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-reachable endpoint requires only a low-privilege authenticated account; scope unchanged with no confidentiality impact, only limited integrity and availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 22:36 vuln.today

DescriptionCVE.org

Summary

The devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild.

> Note: Exploitation requires an existing low-privilege role with access to the target workspace.

Impact

Any authenticated principal with read-only workspace access, such as a Template Admin or Org Template Admin, could recreate a devcontainer, destroying uncommitted in-container state and, if called repeatedly, denying service. This is an authorization bypass leading to data loss and denial of service.

Patches

The fix adds an explicit ActionUpdate authorization check before the agent is dialed like the delete endpoint.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

None.

Resources

  • Fix: #25812

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22454) for independently disclosing this issue!

AnalysisAI

Authorization bypass in the Coder devcontainer recreate endpoint allows any authenticated user holding only read-level workspace access - such as Template Admin or Org Template Admin roles - to trigger a destructive container rebuild that destroys uncommitted in-container state. Unlike the sibling delete endpoint, which correctly enforces an ActionUpdate check, the recreate endpoint relied solely on route middleware verifying ActionRead, leaving the destructive operation unguarded against lower-privileged principals. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain authenticated Coder account with read-only workspace access
Delivery
Identify target workspace with uncommitted developer state
Exploit
Send POST to devcontainer recreate endpoint
Install
Route middleware passes ActionRead check
C2
ActionUpdate check absent, agent dialed without authorization
Execute
Container rebuilt, uncommitted state destroyed
Impact
Repeat for sustained denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires an existing authenticated account within the Coder instance that holds a role granting ActionRead on the target workspace - the advisory explicitly names Template Admin and Org Template Admin as affected roles. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L is consistent with the described vulnerability: network-accessible, low complexity, requires a pre-existing low-privilege account, no user interaction, and impacts only integrity and availability - no confidentiality exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker authenticated to a Coder instance with a Template Admin role - which grants ActionRead on workspaces - identifies a target developer workspace containing uncommitted work. The attacker sends a POST request to the devcontainer recreate endpoint for that workspace; the route middleware passes the ActionRead check and no further authorization is enforced, triggering a full container rebuild that destroys the developer's uncommitted in-container state. …
Remediation Upgrade Coder to a patched version appropriate to your release line: v2.34.2 for the 2.34 line, v2.33.8 for the 2.33 line, v2.32.7 for the 2.32 line, or v2.29.17 for the 2.29 ESR line. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy