PT-2026-56076 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-08
·
CVE-2026-55432
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Coder versions prior to 2.29.7
Coder versions prior to 2.32.7
Coder versions prior to 2.33.8
Coder versions prior to 2.34.2
Description
The
CreateSubAgent RPC does not validate the requested app sharing level against the template's MaxPortSharingLevel before persisting workspace apps. This allows a workspace owner with an agent token to exceed the administrator's configured maximum sharing level, potentially registering a sub-agent app as PUBLIC even when the policy is set to owner. This exposes the app to unauthenticated users via the wildcard app domain. Exploitation requires the ability to register sub-agent apps in a workspace controlled by the attacker and is limited to deployments using Enterprise port-sharing policy and wildcard app hostnames.Recommendations
Update to version 2.29.7 or later.
Update to version 2.32.7 or later.
Update to version 2.33.8 or later.
Update to version 2.34.2 or later.
Disable wildcard app hostnames by configuring the
CODER WILDCARD ACCESS URL variable to block subdomain-based app routing.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coder