PT-2026-56076 · Coder · Coder

Published

2026-07-06

·

Updated

2026-07-08

·

CVE-2026-55432

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.7 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2
Description The CreateSubAgent RPC does not validate the requested app sharing level against the template's MaxPortSharingLevel before persisting workspace apps. This allows a workspace owner with an agent token to exceed the administrator's configured maximum sharing level, potentially registering a sub-agent app as PUBLIC even when the policy is set to owner. This exposes the app to unauthenticated users via the wildcard app domain. Exploitation requires the ability to register sub-agent apps in a workspace controlled by the attacker and is limited to deployments using Enterprise port-sharing policy and wildcard app hostnames.
Recommendations Update to version 2.29.7 or later. Update to version 2.32.7 or later. Update to version 2.33.8 or later. Update to version 2.34.2 or later. Disable wildcard app hostnames by configuring the CODER WILDCARD ACCESS URL variable to block subdomain-based app routing.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55432
GHSA-X9QQ-2QH5-8RXF
GO-2026-5926

Affected Products

Coder