2 matches found
CVE-2026-55431
Coder prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 is vulnerable to session-token leakage via coder open app for external workspace apps. The CLI opens external workspace-app URLs without validating scheme/host, and if a URL contains the placeholder $SESSION_TOKEN, the token is substitute...
GO-2026-5924 Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Coder's session token leaked to arbitrary hosts via coder open app for external workspace apps in github.com/coder/coder...