PT-2026-56075 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-08
·
CVE-2026-55431
CVSS v3.1
7.7
High
| Vector | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Coder versions prior to 2.29.17
Coder versions prior to 2.32.7
Coder versions prior to 2.33.8
Coder versions prior to 2.34.2
Description
The
coder open app command opens external workspace-app URLs without validating the scheme or host. If an external app URL contains the $SESSION TOKEN placeholder, the CLI replaces it with the user's actual session token before passing the URL to the operating system's open handler. A malicious template author can define an arbitrary URL to capture the session token, enabling full account impersonation, or invoke arbitrary local URI scheme handlers. Exploitation occurs when a user runs coder open app against a workspace controlled by an attacker.Recommendations
Update to version 2.29.17 or later.
Update to version 2.32.7 or later.
Update to version 2.33.8 or later.
Update to version 2.34.2 or later.
As a temporary workaround, avoid running
coder open app for untrusted workspaces.Fix
Open Redirect
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Coder