PT-2026-56073 · Coder · Coder

Published

2026-07-06

·

Updated

2026-07-08

·

CVE-2026-55429

CVSS v3.1

8.7

High

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17
Description An issue exists where the UpsertWorkspaceApp function overwrites an existing application's agent id during a primary-key conflict. Additionally, the insertAgentApp function accepts an application ID from the CompleteJob payload without verifying if it belongs to the workspace being constructed. Because CompleteJob operates under dbauthz.AsProvisionerd, the authorization layer fails to block cross-workspace upserts. A user with template authorship or external provisioner access can provide a victim's application UUID and an attacker-controlled agent ID in a CompleteJob payload. This allows the victim's application to be rebound to the attacker's agent, resulting in application traffic, such as IDE and terminal sessions, being proxied to the attacker's workspace. Application UUIDs can be discovered via the public API.
Recommendations Update to version 2.34.2 or later. Update to version 2.33.8 or later. Update to version 2.32.7 or later. Update to version 2.29.17 or later.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55429
GHSA-9RJW-3GWP-F59V
GO-2026-5909

Affected Products

Coder