{"api_version":"1","generated_at":"2026-04-23T09:40:50+00:00","cve":"CVE-2023-26114","urls":{"html":"https://cve.report/CVE-2023-26114","api":"https://cve.report/api/cve/CVE-2023-26114.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-26114","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-26114"},"summary":{"title":"CVE-2023-26114","description":"Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2023-03-23 05:15:00","updated_at":"2023-11-07 04:09:00"},"problem_types":["CWE-346"],"metrics":[],"references":[{"url":"https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7","name":"https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7","refsource":"MISC","tags":[],"title":"Add origin checks to web sockets (#6048) · coder/code-server@d477972 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148","name":"https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148","refsource":"MISC","tags":[],"title":"Missing Origin Validation in WebSockets in code-server | CVE-2023-26114 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/coder/code-server/releases/tag/v4.10.1","name":"https://github.com/coder/code-server/releases/tag/v4.10.1","refsource":"MISC","tags":[],"title":"Release v4.10.1 · coder/code-server · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-26114","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26114","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"26114","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"coder","cpe5":"code-server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-26114","ASSIGNER":"report@snyk.io","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Missing Origin Validation in WebSockets","cweId":"CWE-1385"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"code-server","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"4.10.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148","refsource":"MISC","name":"https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148"},{"url":"https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7","refsource":"MISC","name":"https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7"},{"url":"https://github.com/coder/code-server/releases/tag/v4.10.1","refsource":"MISC","name":"https://github.com/coder/code-server/releases/tag/v4.10.1"}]},"credits":[{"lang":"en","value":"Elliot W - Snyk Research Team"}],"impact":{"cvss":[{"version":"3.1","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW","baseScore":8.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L/E:P"}]}},"nvd":{"publishedDate":"2023-03-23 05:15:00","lastModifiedDate":"2023-11-07 04:09:00","problem_types":["CWE-346"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":9.3,"baseSeverity":"CRITICAL"},"exploitabilityScore":2.8,"impactScore":5.8}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*","versionEndExcluding":"4.10.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}