Back to overview

CVE-2026-55429

HIGH
8.7
CVSS 3.1
Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available.

Metadata

CVE ID
CVE-2026-55429
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-16 21:59 UTC
Published
2026-07-08 00:00 UTC
Last updated
2026-07-08 00:00 UTC
Primary CWE
CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product
coder / coder
Sources
cve.org  ·  NVD

Severity & Metrics

8.7 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
coder coder >= 2.34.0, < 2.34.2, >= 2.33.0, < 2.33.8, >= 2.30.0, < 2.32.7, < 2.29.17
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.7 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
References (6)
Back to overview