PT-2026-56074 · Coder · Coder

Published

2026-07-06

·

Updated

2026-07-08

·

CVE-2026-55430

CVSS v3.1

5.8

Medium

VectorAV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2
Description The workspace app proxy resolves the target app using the httpapi.RequestHost() function, which prioritizes the X-Forwarded-Host header over the actual Host header. Because no middleware strips the X-Forwarded-Host header before routing and the header is not browser-forbidden, client-side JavaScript can manipulate it during fetch() calls. This allows an attacker who controls a shared workspace app to serve JavaScript that sends same-site requests with a forged X-Forwarded-Host header pointing to a victim's private app. Since app session cookies are scoped to the wildcard parent domain, the browser attaches them to the request, allowing the attacker to read private app responses. Exploitation requires subdomain app routing (wildcard hostname) to be enabled and an upstream proxy that does not strip the X-Forwarded-Host header.
Recommendations Update to version 2.29.17 or later. Update to version 2.32.7 or later. Update to version 2.33.8 or later. Update to version 2.34.2 or later. As a temporary workaround, implement an upstream reverse proxy that strips or overwrites the X-Forwarded-Host header on untrusted requests.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55430
GHSA-5G4W-3VW9-478W
GO-2026-5917

Affected Products

Coder