CVE-2026-55438
CVE-2026-55438 is a medium-severity vulnerability in Coder with a CVSS 3.x base score of 5.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-346.
Key facts
- Severity: Medium (CVSS 3.x base score 5.8)
- EPSS exploit prediction: 0% (12th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-346
- Affected product: Coder
- Published:
- Last modified:
Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.
Frequently asked questions
- What is CVE-2026-55438?
- Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.
- How severe is CVE-2026-55438?
- CVE-2026-55438 has a CVSS 3.x base score of 5.8, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-55438 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (12th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-55438?
- CVE-2026-55438 affects Coder. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-55438?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2026-55438 published?
- CVE-2026-55438 was published on 2026-07-08.
References
- https://github.com/coder/coder/pull/26085
- https://github.com/coder/coder/pull/26086
- https://github.com/coder/coder/releases/tag/v2.29.17
- https://github.com/coder/coder/releases/tag/v2.32.7
- https://github.com/coder/coder/releases/tag/v2.33.8
- https://github.com/coder/coder/releases/tag/v2.34.2
- https://github.com/coder/coder/security/advisories/GHSA-5wg6-jmq2-53pw
Affected products (1)
- cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:*
More vulnerabilities in Coder
- CVE-2026-46354 — Critical (CVSS 9.1): Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5,…
- CVE-2026-55429 — High (CVSS 8.7): Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7,…
- CVE-2026-55427 — High (CVSS 8.3): Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7,…
- CVE-2026-55428 — High (CVSS 8.2): Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7,…
- CVE-2024-27918 — High (CVSS 8.2): Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3,…
- CVE-2026-44454 — High (CVSS 8.1): Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and…
Other CWE-346 vulnerabilities
- CVE-2026-42901 — Critical (CVSS 10.0): Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-6508 — Critical (CVSS 9.8): Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows…
- CVE-2026-2790 — Critical (CVSS 9.8): Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR…
- CVE-2022-50925 — Critical (CVSS 9.8): Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send…
- CVE-2025-30466 — Critical (CVSS 9.8): This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS…
- CVE-2024-8487 — Critical (CVSS 9.8): A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS…