CVE-2026-55438
Received Received - Intake

CORS Bypass in Coder Remote Development Environments

Vulnerability report for CVE-2026-55438, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
coder coder to 2.29.17 (inc)
coder coder to 2.32.7 (inc)
coder coder to 2.33.8 (inc)
coder coder to 2.34.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-55438 vulnerability in Coder's workspace app involves a Cross-Origin Resource Sharing (CORS) origin check bypass through UUID-based subdomain spoofing.

The issue occurs because when a workspace-name subdomain segment is parsed as a UUID, the workspace is resolved by ID without verifying that the username in the URL matches the real owner of the workspace.

Meanwhile, the CORS middleware trusts the unverified username in the hostname, allowing an attacker to craft a subdomain containing their own workspace UUID and a victim's username.

If the victim visits the attacker's crafted app URL while authenticated, the attacker's JavaScript can perform credentialed cross-origin fetch requests to the victim's workspace apps, reading responses and exfiltrating accessible data.

This vulnerability requires subdomain app routing (wildcard hostname) to be enabled.

The issue was fixed in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 by validating the subdomain username against the resolved workspace's actual owner and basing the same-owner CORS decision on the authoritative owner identity.

Impact Analysis

This vulnerability can allow an attacker to bypass CORS origin checks and perform credentialed cross-origin requests to a victim's workspace apps.

If a victim visits a maliciously crafted URL while authenticated, the attacker can read sensitive responses from the victim's workspace applications and exfiltrate accessible data.

The impact is primarily on confidentiality, as attackers can access data they should not be authorized to see.

The vulnerability requires low privileges and user interaction (the victim must visit the attacker's URL), but it can lead to unauthorized data disclosure.

Detection Guidance

This vulnerability involves a bypass of the same-owner CORS check via crafted subdomain URLs containing workspace UUIDs. Detection would involve monitoring for unusual or suspicious requests to workspace app subdomains where the subdomain segment parses as a UUID and the username in the URL does not match the resolved workspace owner.

Specifically, detection could focus on identifying requests with wildcard hostname subdomain routing enabled, where the origin hostname includes a UUID subdomain and an unexpected username, potentially indicating an attempt to exploit the CORS bypass.

No explicit detection commands or tools are provided in the available information.

Mitigation Strategies

The primary mitigation is to upgrade Coder to one of the fixed versions: 2.29.17, 2.32.7, 2.33.8, or 2.34.2. These versions include patches that validate the subdomain username against the resolved workspace owner and enforce proper same-owner CORS checks.

Since no workarounds are available, applying the patch promptly is critical to prevent exploitation.

Compliance Impact

The vulnerability allows an attacker to bypass same-owner CORS checks and perform credentialed cross-origin requests to a victim's workspace apps, potentially leading to unauthorized access and exfiltration of sensitive data.

Such unauthorized data access could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data access and sharing.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart