CVE-2026-55430
Received Received - Intake

Server-Side Request Forgery in Coder Workspace App

Vulnerability report for CVE-2026-55430, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
coder coder From 2.29.17 (inc) to 2.34.2 (exc)
coder coder From 2.30.0 (inc) to 2.32.7 (exc)
coder coder From 2.33.0 (inc) to 2.33.8 (exc)
coder coder From 2.34.0 (inc) to 2.34.2 (exc)
coder coder to 2.29.17 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Coder platform's workspace app routing system, where the application improperly trusts the X-Forwarded-Host HTTP header from untrusted sources. The workspace app proxy resolves the target app based on this header, which can be set by client-side JavaScript since it is not browser-forbidden. Because no middleware strips or validates this header before routing, an attacker can forge it to redirect requests to a victim's private app.

Exploitation requires subdomain app routing (wildcard hostname) to be enabled, a victim who visits the attacker's shared app, and an upstream proxy that does not strip the X-Forwarded-Host header. The attacker can then send requests with a forged X-Forwarded-Host header pointing to the victim's private app, causing the server to route based on the attacker-controlled header but authorize using the victim's session cookies. This allows the attacker to read responses from the victim's private app, effectively bypassing same-origin policy protections.

The vulnerability was fixed by changing the routing logic to trust the X-Forwarded-Host header only from configured trusted proxies and otherwise use the verified request host. A workaround is to place an upstream reverse proxy that strips or overwrites the X-Forwarded-Host header on untrusted requests.

Impact Analysis

This vulnerability can allow an attacker to bypass same-origin policy protections and access sensitive data from a victim's private app by forging the X-Forwarded-Host header. Specifically, an attacker can trick the server into routing requests to the victim's private app while using the victim's session cookies for authorization.

The impact is a confidentiality breach, where the attacker can read private data that should be inaccessible. The CVSS score rates this as a moderate severity issue with a high impact on confidentiality, requiring network access, user interaction, and low privileges.

Organizations using affected versions of Coder without proper proxy configurations or patches are at risk of unauthorized data exposure through this vulnerability.

Detection Guidance

Detection of this vulnerability involves monitoring for the presence and use of the X-Forwarded-Host header in requests, especially from untrusted sources. Since the vulnerability arises from trusting this header without validation, inspecting incoming HTTP requests for unexpected or forged X-Forwarded-Host headers can help identify potential exploitation attempts.

Additionally, reviewing request logs to check if the application is logging both the effective host and raw received host can help detect anomalies related to this vulnerability.

While specific commands are not provided in the resources, typical detection commands might include using tools like curl or tcpdump to capture and inspect HTTP headers, or using grep to search logs for suspicious X-Forwarded-Host header values.

  • Use tcpdump or Wireshark to capture HTTP traffic and filter for X-Forwarded-Host headers.
  • Use grep or similar tools on server logs to find entries containing 'X-Forwarded-Host'.
  • Use curl with custom headers to test if the server accepts and routes based on X-Forwarded-Host, e.g., curl -H "X-Forwarded-Host: attacker.example.com" https://targetapp.example.com
Mitigation Strategies

Immediate mitigation involves ensuring that the X-Forwarded-Host header is only trusted when it comes from configured trusted proxies. This can be achieved by updating to patched versions of Coder (2.29.7, 2.32.7, 2.33.8, or 2.34.2) which implement this validation.

If immediate upgrading is not possible, a recommended workaround is to place an upstream reverse proxy that strips or overwrites the X-Forwarded-Host header on requests coming from untrusted sources.

Additionally, configure the CODER_PROXY_TRUSTED_ORIGINS environment variable or equivalent proxy trust settings to specify which proxies are trusted to send the X-Forwarded-Host header.

Compliance Impact

This vulnerability allows an attacker to bypass same-origin policy protections by forging the X-Forwarded-Host header, potentially accessing sensitive data from a victim's private app without proper authorization.

Such unauthorized access to sensitive or private data could lead to violations of data protection regulations such as GDPR or HIPAA, which mandate strict controls on confidentiality and access to personal or protected health information.

The vulnerability's impact on confidentiality (rated high) and the ability to access data across app boundaries without proper verification could result in non-compliance with these standards if exploited.

Mitigations and patches that restrict trust of the X-Forwarded-Host header to configured trusted proxies help restore compliance by preventing unauthorized data access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart