Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-55433— Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

CVSS 5.4 · Medium EPSS 0.39% · P31

Affected Version Matrix 4

VendorProductVersion RangeStatus
codercoder>= 2.34.0, < 2.34.2affected
>= 2.33.0, < 2.33.8affected
>= 2.30.0, < 2.32.7affected
< 2.29.17affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-55433

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Source: NVD (National Vulnerability Database)
Vulnerability Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Coder 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Coder是Coder组织开源的一个可以在公共或私有云基础设施中设置开发环境的应用程序。 Coder存在授权问题漏洞,该漏洞源于devcontainer recreate端点仅检查`ActionRead`权限,未在触发破坏性重建前执行`ActionUpdate`检查,可能导致拥有低权限的角色对目标工作区进行未经授权的操作。以下版本受到影响:2.29.7之前版本、2.30.0至2.32.7之前版本、2.33.0至2.33.8之前版本和2.34.0至2.34.2之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
codercoder >= 2.34.0, < 2.34.2 -

II. Public POCs for CVE-2026-55433

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-55433

登录查看更多情报信息。

Patches & Fixes for CVE-2026-55433 (1)

Vendor Advisories for CVE-2026-55433 (1)

Vendor Pages for CVE-2026-55433 (4)

Same Patch Batch · coder · 2026-07-08 · 8 CVEs total

CVE-2026-554298.7 HIGHCoder's workspace app upsert allows cross-workspace agent rebinding via user-controlled ap
CVE-2026-554317.7 HIGHCoder's session token leaked to arbitrary hosts via `coder open app` for external workspac
CVE-2026-554367.4 HIGHCoder's AI Bridge Proxy skips TLS certificate verification in default configuration
CVE-2026-554385.8 MEDIUMCoder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
CVE-2026-554305.8 MEDIUMCoder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, en
CVE-2026-554375.4 MEDIUMCoder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine compone
CVE-2026-554325.4 MEDIUMCoder's sub-agent app registration bypasses template port-sharing policy enforcement

IV. Related Vulnerabilities

V. Comments for CVE-2026-55433

No comments yet


Leave a comment