CVE-2026-55433
Received Received - Intake

Privilege Escalation in Coder Remote Development Environments

Vulnerability report for CVE-2026-55433, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
coder coder From 2.30.0 (inc) to 2.34.2 (exc)
coder coder 2.29.7
coder coder 2.32.7
coder coder 2.33.8
coder coder 2.34.2
coder coder 2.29.17

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Coder platform's devcontainer recreate endpoint, which previously only checked for read permissions (ActionRead) on a workspace before allowing a devcontainer to be rebuilt. Unlike the delete endpoint, it did not require update permissions (ActionUpdate), which are necessary because recreating a devcontainer is a destructive action that modifies the workspace state.

As a result, users with low-privilege roles that have read-only access could trigger a destructive rebuild of devcontainers, potentially causing data loss or disruption.

The issue was fixed by adding an explicit ActionUpdate authorization check before the devcontainer recreate operation is allowed, aligning it with the delete endpoint's permission requirements.

Impact Analysis

Exploitation of this vulnerability can lead to destructive rebuilds of development containers by users who only have read access, which can cause loss of uncommitted in-container data.

Repeated triggering of this action could result in denial of service by disrupting development environments.

Because the vulnerability allows low-privilege users to perform destructive actions, it undermines the intended access control and can impact the stability and integrity of development workflows.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Coder platform to one of the fixed versions: 2.29.7, 2.32.7, 2.33.8, or 2.34.2. These versions include a patch that adds an explicit ActionUpdate authorization check before allowing the devcontainer recreate operation, preventing users with only read permissions from triggering destructive rebuilds.

No known workarounds are available, so applying the patch by upgrading is the immediate and recommended step.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart