CVE-2026-55428
Received Received - Intake

Privilege Escalation in Coder Remote Development Environments

Vulnerability report for CVE-2026-55428, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent's UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
coder coder 2.29.7
coder coder 2.32.7
coder coder 2.33.8
coder coder 2.34.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-55428 affects the Coder platform, where the tailnet coordinator fails to properly validate the `AllowedIPs` field provided by agents. While the coordinator validates that an agent's `Addresses` derive from its authenticated UUID, it does not apply the same check to `AllowedIPs`. As a result, a malicious agent can advertise arbitrary `AllowedIPs` prefixes, including those belonging to other agents.

These unvalidated `AllowedIPs` are forwarded verbatim to tunnel peers and installed into the WireGuard peer configuration, potentially allowing an attacker to hijack routes by impersonating other agents' IP prefixes.

The vulnerability can be exploited by an attacker with an authenticated user account and a running workspace who modifies the agent binary to include false `AllowedIPs`. This leads to interception of traffic such as web terminal and workspace app data, enabling spoofed content delivery.

Patches have been released in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 to validate `AllowedIPs` against the authenticating agent's UUID, closing this security gap.

Impact Analysis

This vulnerability can have serious impacts on confidentiality and integrity of your network traffic within the Coder platform.

  • An attacker can hijack network routes by advertising IP prefixes of other agents, allowing interception of traffic intended for those agents.
  • Intercepted traffic can include sensitive data from web terminals and workspace applications.
  • The attacker can serve spoofed content, potentially misleading users or injecting malicious data.

Availability is not impacted by this vulnerability, but the breach of confidentiality and integrity can lead to significant security risks.

Detection Guidance

This vulnerability can be detected by monitoring the coordinator logs for agents advertising unexpected AllowedIPs prefixes that do not match their authenticated UUID-derived prefixes.

Since the coordinator forwards agent-supplied AllowedIPs verbatim to WireGuard peer configurations, checking these configurations for anomalous or unauthorized AllowedIPs entries can also help detect exploitation attempts.

Specific commands are not provided in the available resources, but operators should focus on log inspection and WireGuard peer configuration audits to identify unexpected AllowedIPs.

Mitigation Strategies

The primary mitigation is to upgrade the Coder platform to one of the patched versions: 2.29.7, 2.32.7, 2.33.8, or 2.34.2, which include validation of AllowedIPs against the authenticating agent's UUID.

If immediate upgrading is not possible, as a workaround, monitor coordinator logs closely for agents advertising unexpected AllowedIPs prefixes to detect potential exploitation.

Compliance Impact

The vulnerability allows a malicious authenticated workspace agent to advertise arbitrary AllowedIPs prefixes, potentially hijacking network routes and intercepting web terminal and workspace app traffic. This interception could lead to unauthorized access to sensitive data, impacting confidentiality and integrity.

Such unauthorized interception and potential data exposure could negatively affect compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality and integrity.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart