PT-2026-56074 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-08
·
CVE-2026-55430
CVSS v3.1
5.8
Medium
| Vector | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Coder versions prior to 2.29.17
Coder versions prior to 2.32.7
Coder versions prior to 2.33.8
Coder versions prior to 2.34.2
Description
The workspace app proxy resolves the target app using the
httpapi.RequestHost() function, which prioritizes the X-Forwarded-Host header over the actual Host header. Because no middleware strips the X-Forwarded-Host header before routing and the header is not browser-forbidden, client-side JavaScript can manipulate it during fetch() calls. This allows an attacker who controls a shared workspace app to serve JavaScript that sends same-site requests with a forged X-Forwarded-Host header pointing to a victim's private app. Since app session cookies are scoped to the wildcard parent domain, the browser attaches them to the request, allowing the attacker to read private app responses. Exploitation requires subdomain app routing (wildcard hostname) to be enabled and an upstream proxy that does not strip the X-Forwarded-Host header.Recommendations
Update to version 2.29.17 or later.
Update to version 2.32.7 or later.
Update to version 2.33.8 or later.
Update to version 2.34.2 or later.
As a temporary workaround, implement an upstream reverse proxy that strips or overwrites the
X-Forwarded-Host header on untrusted requests.Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Coder