PT-2026-56073 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-08
·
CVE-2026-55429
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Coder versions prior to 2.34.2
Coder versions prior to 2.33.8
Coder versions prior to 2.32.7
Coder versions prior to 2.29.17
Description
An issue exists where the
UpsertWorkspaceApp function overwrites an existing application's agent id during a primary-key conflict. Additionally, the insertAgentApp function accepts an application ID from the CompleteJob payload without verifying if it belongs to the workspace being constructed. Because CompleteJob operates under dbauthz.AsProvisionerd, the authorization layer fails to block cross-workspace upserts. A user with template authorship or external provisioner access can provide a victim's application UUID and an attacker-controlled agent ID in a CompleteJob payload. This allows the victim's application to be rebound to the attacker's agent, resulting in application traffic, such as IDE and terminal sessions, being proxied to the attacker's workspace. Application UUIDs can be discovered via the public API.Recommendations
Update to version 2.34.2 or later.
Update to version 2.33.8 or later.
Update to version 2.32.7 or later.
Update to version 2.29.17 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coder