CVE-2026-55431
Received Received - Intake

Insecure URL Handling in Coder CLI with Session Token Exposure

Vulnerability report for CVE-2026-55431, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
coder coder 2.29.7
coder coder 2.32.7
coder coder 2.33.8
coder coder 2.34.2
coder coder From 2.30.0 (inc) to 2.34.2 (inc)
coder coder From 2.33.0 (inc) to 2.33.8 (inc)
coder coder From 2.34.0 (inc) to 2.34.2 (inc)
coder coder From 2.30.0 (inc) to 2.32.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55431 is a security vulnerability in the Coder platform related to the `coder open app` command. This command opens external workspace-app URLs and automatically replaces the `$SESSION_TOKEN` placeholder in those URLs with the user's real session token without validating the URL's scheme or host.

An attacker who controls the external app definition of a workspace can craft malicious URLs that include the `$SESSION_TOKEN` placeholder. When a victim runs `coder open app` on such a workspace, their session token is substituted into the URL and sent to the attacker, leading to token exfiltration.

The vulnerability requires the victim to run the command against a workspace with a malicious external app, which only a malicious template author can control.

The fix restricts token substitution to trusted destinations by applying a URL-scheme allowlist and limits substitution to top-level agent apps vetted by administrators, preventing token leakage from sub-agent apps.

Impact Analysis

This vulnerability can lead to the exfiltration of your session token to an attacker-controlled URL. With the stolen session token, an attacker can impersonate your account for the token's lifetime.

The attack requires user interaction, specifically running the `coder open app` command on a workspace with a malicious external app definition.

Because the session token grants access to your account, this can result in a complete compromise of your development environment and any associated resources.

Detection Guidance

This vulnerability involves the `coder open app` command substituting the user's session token into external app URLs containing the `$SESSION_TOKEN` placeholder without validating the URL's scheme or host.

Detection can focus on monitoring the execution of the `coder open app` command, especially when run against untrusted or suspicious workspaces that may contain malicious external app definitions.

Network detection could involve inspecting outbound requests or URL openings triggered by this command for unusual URLs containing session tokens or the `$SESSION_TOKEN` placeholder.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability immediately, avoid running the `coder open app` command against untrusted workspaces whose external app definitions could be controlled by an attacker.

Upgrade Coder to versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2 or later, where the vulnerability is fixed by applying a URL-scheme allowlist and restricting `$SESSION_TOKEN` substitution to trusted destinations only.

The fix also includes warnings when the `$SESSION_TOKEN` placeholder is present in sub-agent URLs and prevents token substitution in those cases, reducing the risk of token exfiltration.

Compliance Impact

The vulnerability allows session tokens to be exfiltrated via external application URLs, which can lead to full account impersonation for the token's lifetime. This exposure of sensitive authentication tokens can result in unauthorized access to user data and systems.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

The vulnerability's high severity (CVSS 7.7) and its impact on confidentiality and integrity highlight the risk of non-compliance if exploited, especially since it involves user session tokens that could be used to impersonate users and access protected data.

Mitigations include upgrading to fixed versions that apply URL-scheme allowlists and restrict session token substitution to trusted destinations, as well as avoiding running the vulnerable command on untrusted workspaces.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55431. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart