CVE-2026-55427
Received Received - Intake

SSH Configuration Injection in Coder

Vulnerability report for CVE-2026-55427, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user's `~/.ssh/config` without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the `HostnameSuffix` and `SSHConfigOptions` settings. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `HostnameSuffix` and `SSHConfigOptions` against a strict character set that rejects newlines and other control characters. As a workaround, inspect `coder config-ssh --dry-run` output before applying changes.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
coder coder to 2.29.17 (inc)
coder coder to 2.32.7 (inc)
coder coder to 2.33.8 (inc)
coder coder to 2.34.2 (inc)
coder coder From 2.34.0 (inc) to 2.34.2 (exc)
coder coder From 2.33.0 (inc) to 2.33.8 (exc)
coder coder From 2.30.0 (inc) to 2.32.7 (exc)
coder coder to 2.29.17 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55427 is a security vulnerability in the Coder platform related to the `coder config-ssh` command. This command writes server-supplied SSH settings such as `HostnameSuffix` and `SSHConfigOptions` into the user's `~/.ssh/config` file without properly sanitizing embedded newlines or restricting SSH directives.

Because of this lack of sanitization, a malicious or compromised Coder server can inject arbitrary SSH configuration directives, potentially including dangerous options like `ProxyCommand`. Exploiting this requires control over the server-supplied values, which could come from a compromised deployment, a man-in-the-middle attacker, or an admin with access to these settings.

The vulnerability was fixed by adding strict validation that rejects newlines and control characters in these settings, preventing injection of arbitrary SSH configuration.

Impact Analysis

This vulnerability can lead to arbitrary code execution on developer workstations because injected SSH configuration directives run with the user's local privileges.

Since the malicious SSH configuration affects the user's `~/.ssh/config` file, it impacts all SSH connections made by the user, not just those related to Coder workspaces.

An attacker who controls the server-supplied values can inject directives that execute arbitrary commands or load malicious libraries, potentially compromising the user's system and data.

Detection Guidance

This vulnerability can be detected by inspecting the SSH configuration changes that the `coder config-ssh` command would apply. Specifically, users should run the command with the `--dry-run` option to preview the SSH configuration output before it is written to the user's `~/.ssh/config` file.

By examining the output of `coder config-ssh --dry-run`, you can check for any suspicious or unexpected SSH directives, especially those containing embedded newlines or control characters that could indicate an injection attempt.

No direct network detection commands are provided, but monitoring for unusual SSH configuration changes or unexpected SSH behavior on developer workstations could help identify exploitation.

Mitigation Strategies

Immediate mitigation steps include upgrading Coder to a patched version where the vulnerability is fixed. The patched versions are 2.29.7, 2.32.7, 2.33.8, and 2.34.2 or later.

As a workaround before upgrading, users should always inspect the output of `coder config-ssh --dry-run` before applying any SSH configuration changes to ensure no malicious or unexpected directives are injected.

Additionally, restrict access to the Coder server and its configuration settings to trusted administrators only, to prevent malicious or compromised deployments from injecting harmful SSH options.

Compliance Impact

The provided information does not specify how CVE-2026-55427 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart