Back to overview

CVE-2026-55430

MEDIUM
5.8
CVSS 3.1
Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests.

Metadata

CVE ID
CVE-2026-55430
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-16 21:59 UTC
Published
2026-07-08 00:03 UTC
Last updated
2026-07-08 00:03 UTC
Primary CWE
CWE-345
CWE-345: Insufficient Verification of Data Authenticity
Vendor / Product
coder / coder
Sources
cve.org  ·  NVD

Severity & Metrics

5.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
coder coder >= 2.34.0, < 2.34.2, >= 2.33.0, < 2.33.8, >= 2.30.0, < 2.32.7, < 2.29.17
Weakness (CWE)
CWESourceDescription
CWE-345 cna CWE-345: Insufficient Verification of Data Authenticity
CWE-441 cna CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
References (6)
Back to overview