CVE-2026-44454
Received Received - Intake

Workspace Creation Parameter Injection in Coder

Vulnerability report for CVE-2026-44454, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted `dotfiles_uri` value (for example, one containing shell command substitution such as `$(...)`) could achieve command execution in their own workspace. The Create Workspace page's `mode=auto` deep links amplified this into a one-click attack: an attacker could craft a URL that prefilled `param.dotfiles_uri` and silently provisioned a workspace with the attacker-controlled value, with no explicit user confirmation. In versions 2.29.7 and 2.30.2, input validation was added to the dotfiles module to reject URIs and usernames containing special characters, and the unsafe `eval`/`sh -c` usage was removed. This eliminated the command injection at its source.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coder dotfiles to 2.30.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Coder, a tool that allows organizations to provision remote development environments via Terraform. In versions prior to 2.29.7 and 2.30.2, when creating workspaces using 'mode=auto' deep links, the system would silently provision workspaces with parameters controlled by an attacker without requiring any explicit user confirmation.

This means an attacker could craft a link that, when used, would automatically create a workspace with parameters they chose, potentially leading to unauthorized configurations or access.

In versions 2.29.7 and 2.30.2, a consent dialog was introduced that displays all prefilled parameters and blocks workspace creation until the user explicitly confirms by clicking 'Confirm and Create', mitigating the issue.

Impact Analysis

This vulnerability can lead to unauthorized creation of remote development workspaces with attacker-controlled parameters without user consent.

Such unauthorized provisioning could allow attackers to influence the environment configuration, potentially leading to unauthorized access, data exposure, or manipulation within the affected system.

Given the CVSS score of 8.1 with high impact on confidentiality and integrity, the vulnerability poses a significant risk to the security of the affected environments.

Mitigation Strategies

To mitigate this vulnerability, update Coder to version 2.29.7 or 2.30.2 or later, where a consent dialog has been added to require explicit user confirmation before workspace creation with prefilled parameters.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart