PT-2026-56071 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-08
·
CVE-2026-55427
CVSS v3.1
8.3
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Coder versions prior to 2.34.2
Coder versions prior to 2.33.8
Coder versions prior to 2.32.7
Coder versions prior to 2.29.17
Description
The
coder config-ssh command writes server-supplied SSH settings into the user's ~/.ssh/config file without sanitizing embedded newlines or restricting directives. A malicious or compromised server, or an attacker with man-in-the-middle positioning, could inject arbitrary SSH configuration via the HostnameSuffix and SSHConfigOptions variables. This could allow the injection of directives such as ProxyCommand, leading to arbitrary code execution on developer workstations with the privileges of the local user. These injected commands would apply to all SSH connections, not only Coder workspaces.Recommendations
Update to version 2.34.2 or later.
Update to version 2.33.8 or later.
Update to version 2.32.7 or later.
Update to version 2.29.17 or later.
As a mitigation measure, inspect the output of
coder config-ssh --dry-run before applying changes.Exploit
Fix
Special Elements Injection
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Coder