CVE-2026-55434
Received Received - Intake

Memory Exhaustion in Coder AI Bridge Provider

Vulnerability report for CVE-2026-55434, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with `io.ReadAll` without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Exploitation requires authenticated access to the AI Bridge endpoints and the impact is limited to availability (denial of service). Versions 2.33.8 and 2.34.2 patch the issue. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Coder's AI Bridge provider handlers in versions starting from 2.33.0 up to but not including 2.33.8 and 2.34.2. The handlers read request bodies using io.ReadAll without limiting the maximum size. This means an authenticated user with access to AI Bridge endpoints can send an arbitrarily large request body, which can exhaust the system's memory.

Impact Analysis

The impact of this vulnerability is limited to availability. An attacker who is authenticated and has access to AI Bridge endpoints can cause a denial of service by exhausting the system's memory through sending very large request bodies.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Coder to version 2.33.8 or 2.34.2 or later, as these versions contain patches that fix the issue.

No known workarounds are available, so applying the patch is the immediate recommended action.

Compliance Impact

This vulnerability impacts availability by allowing an authenticated user with AI Bridge access to cause a denial of service through memory exhaustion. It does not affect confidentiality or integrity.

Since the vulnerability does not involve unauthorized access to sensitive data or data breaches, its direct impact on compliance with standards like GDPR or HIPAA, which primarily focus on data protection and privacy, is limited.

However, availability is a component of some compliance frameworks, so organizations should consider the risk of denial of service in their overall compliance posture.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart