Back to overview

CVE-2026-55433

MEDIUM
5.4
CVSS 3.1
Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.

Metadata

CVE ID
CVE-2026-55433
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-16 21:59 UTC
Published
2026-07-08 00:22 UTC
Last updated
2026-07-08 00:22 UTC
Primary CWE
CWE-862
CWE-862: Missing Authorization
Vendor / Product
coder / coder
Sources
cve.org  ·  NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Affected products (1)
VendorProductPlatformVersions
coder coder >= 2.34.0, < 2.34.2, >= 2.33.0, < 2.33.8, >= 2.30.0, < 2.32.7, < 2.29.17
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
References (6)
Back to overview