Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Summary
| CVE | CVE-2026-55438 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-08 01:16:28 UTC |
| Updated | 2026-07-08 01:16:28 UTC |
| Description | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available. |
Risk And Classification
Primary CVSS: v3.1 5.8 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Problem Types: CWE-346 | CWE-346 CWE-346: Origin Validation Error
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 5.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N |
| 3.1 | CNA | DECLARED | 5.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
LowUser Interaction
RequiredScope
ChangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/coder/coder/releases/tag/v2.34.2 | [email protected] | github.com | |
| github.com/coder/coder/security/advisories/GHSA-5wg6-jmq2-53pw | [email protected] | github.com | |
| github.com/coder/coder/pull/26085 | [email protected] | github.com | |
| github.com/coder/coder/releases/tag/v2.29.17 | [email protected] | github.com | |
| github.com/coder/coder/releases/tag/v2.32.7 | [email protected] | github.com | |
| github.com/coder/coder/pull/26086 | [email protected] | github.com | |
| github.com/coder/coder/releases/tag/v2.33.8 | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.