PT-2026-56080 · Coder · Coder

Published

2026-07-06

·

Updated

2026-07-08

·

CVE-2026-55436

CVSS v3.1

7.4

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Coder versions 2.30.0 through 2.32.6 Coder versions 2.33.0 through 2.33.7 Coder versions 2.34.0 through 2.34.1
Description The AI Bridge Proxy (aibridgeproxyd) creates a goproxy server that, by default, sets InsecureSkipVerify: true. In configurations without an upstream proxy, outbound HTTPS connections to the Coder access URL accept any TLS certificate. This allows an attacker with a man-in-the-middle position between the AI Bridge Proxy and the Coder server to intercept Coder session tokens, user-supplied provider API keys, and full request and response bodies, including prompts and completions. The default transport also honors HTTP PROXY and HTTPS PROXY environment variables, which could allow traffic redirection. Deployments where the proxy and server are co-located over loopback are not affected.
Recommendations Update Coder versions 2.30.0 through 2.32.6 to version 2.32.7. Update Coder versions 2.33.0 through 2.33.7 to version 2.33.8. Update Coder versions 2.34.0 through 2.34.1 to version 2.34.2. Ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server using loopback or mTLS.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55436
GHSA-84RM-42XW-MX52
GO-2026-5920

Affected Products

Coder