CVE-2026-55432
Received Received - Intake

Privilege Escalation in Coder Remote Development Environments

Vulnerability report for CVE-2026-55432, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template's `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
coder coder to 2.29.7 (exc)
coder coder to 2.32.7 (exc)
coder coder to 2.33.8 (exc)
coder coder to 2.34.2 (exc)
coder coder to 2.29.17 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-55432 vulnerability in the Coder platform involves a flaw in the CreateSubAgent RPC where it does not validate the requested app sharing level against the template's maximum allowed port sharing level before saving workspace apps.

This means a workspace owner can register a sub-agent app with a sharing level higher than what the administrator configured, potentially making the app more accessible than intended.

Exploitation requires the attacker to have the ability to register sub-agent apps in a workspace they control and be authenticated as a workspace owner with an agent token.

The vulnerability mainly affects deployments using Enterprise port-sharing policies and wildcard app hostnames, which can expose apps to unauthenticated users via subdomain-based routing.

A fix has been released in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 that clamps the sub-agent app sharing level to the template's maximum allowed level.

As a workaround, administrators can disable wildcard app hostnames to block subdomain-based app routing.

Impact Analysis

This vulnerability can allow a workspace owner to exceed the administrator's configured maximum app sharing level, potentially exposing internal or sensitive applications to unauthorized or unauthenticated users.

If exploited, apps intended to be restricted to certain users or owners could become publicly accessible, increasing the risk of data exposure or unauthorized access.

The impact is moderate with a CVSS score of 5.4, reflecting that the attack complexity is low but requires some privileges (workspace owner with an agent token).

Organizations using Enterprise port-sharing policies and wildcard app hostnames are particularly at risk.

Disabling wildcard app hostnames can mitigate the risk until patches are applied.

Detection Guidance

Detection of this vulnerability involves checking if sub-agent workspace apps have been registered with an app sharing level exceeding the template's MaxPortSharingLevel.

The patched version emits warnings with diagnostic details when clamping occurs, including sub-agent name, ID, app slug, requested level, max level, and error information.

To detect exploitation attempts or presence of the vulnerability, review logs or warnings related to the CreateSubAgent RPC calls for any sharing level violations.

Since the vulnerability requires the ability to register sub-agent apps, monitoring for unexpected or unauthorized sub-agent app registrations in your workspace is recommended.

No specific commands are provided in the resources, but administrators should check application logs for warnings emitted by the SubAgentAPI and audit workspace app sharing levels against configured maximums.

Mitigation Strategies

The primary mitigation is to upgrade Coder to one of the fixed versions: 2.29.7, 2.32.7, 2.33.8, or 2.34.2, which clamp the sub-agent app sharing level to the template's MaxPortSharingLevel.

As a workaround before upgrading, disable wildcard app hostnames by setting the environment variable CODER_WILDCARD_ACCESS_URL to block subdomain-based app routing.

Administrators should also review and enforce Enterprise port-sharing policies to ensure that sharing levels are not exceeded.

Compliance Impact

The vulnerability allows a workspace owner to exceed the administrator's configured maximum app sharing level, potentially exposing apps to unauthenticated users via wildcard app hostnames. This could lead to unauthorized access to sensitive data or systems.

Such unauthorized exposure may impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.

However, exploitation requires specific conditions: the attacker must be an authenticated workspace owner with an agent token, and the deployment must use Enterprise port-sharing policies and wildcard app hostnames.

The issue has been addressed in patched versions that enforce the maximum sharing level, and administrators can mitigate risk by disabling wildcard app hostnames.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55432. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart