1290 matches found
CVE-2026-55438
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...
CVE-2026-55430
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...
EUVD-2026-42151
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...
CVE-2026-55438 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...
CVE-2026-55438
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...
CVE-2026-55438
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...
CVE-2026-55438 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...
CVE-2026-55432 Coder's sub-agent app registration bypasses template port-sharing policy enforcement
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the CreateSubAgent RPC did not validate a requested app sharing level against the template's MaxPortSharingLevel before persisting workspace apps, letting a...
CVE-2026-55430
Coder's workspace app (github.com/coder/coder) prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts X-Forwarded-Host for routing because no middleware strips it before routing and httpapi.RequestHost() prefers that header over Host. This enables cross-app data access when subdomain (wildca...
CVE-2026-55430 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...
CVE-2026-55430 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...
GO-2026-5918 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder...
GO-2026-5917 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder...
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Summary Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the...
GHSA-5WG6-JMQ2-53PW Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Summary Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the...
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Summary The workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch calls...
GHSA-5G4W-3VW9-478W Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Summary The workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch calls...
PT-2026-56082
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The subdomain-based workspace app proxy allows a bypass of the same-owner Cross-Origin Resource Sharing CO...
PT-2026-56074
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The workspace app proxy resolves the target app using the httpapi.RequestHost function, which prioritizes...
K000161963: Golang vulnerability CVE-2025-61727
Security Advisory Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example . com does not prevent a leaf certificate from claiming the SAN .example.co...