Back to overview

CVE-2026-55428

HIGH
8.2
CVSS 3.1
Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent's UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes.

Metadata

CVE ID
CVE-2026-55428
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-16 21:59 UTC
Published
2026-07-07 23:57 UTC
Last updated
2026-07-07 23:57 UTC
Primary CWE
CWE-285
CWE-285: Improper Authorization
Vendor / Product
coder / coder
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
coder coder >= 2.34.0, < 2.34.2, >= 2.33.0, < 2.33.8, >= 2.30.0, < 2.32.7, < 2.29.17
Weakness (CWE)
CWESourceDescription
CWE-285 cna CWE-285: Improper Authorization
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
References (6)
Back to overview