Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

coder — Vulnerabilities & Security Advisories 23

All 23 CVE vulnerabilities found in coder, with AI-generated Chinese analysis, references, and POCs.

This page is a vulnerability aggregation resource for the coder product, focusing on Common Weakness Enumeration (CWE) classifications and associated security tags. It compiles a comprehensive list of known security flaws, configuration issues, and software defects reported for this specific tool. The collection spans from the initial release of the product up to the most recent updates, ensuring a historical view of its security posture over time. Visitors to this page can systematically track advisories issued by the vendor regarding coder, gaining insight into how security issues are communicated and resolved. Users can also dive deep into specific weakness classes to understand the root causes of reported defects and how they might affect deployment. Furthermore, the page allows for a detailed lookup of a product's vulnerability history, enabling security teams to assess risk trends and prioritize mitigation efforts. By centralizing this information, the resource supports more informed decision-making for developers and security analysts who rely on coder for their workflows. The data is structured to facilitate easy comparison across different versions and release cycles, helping identify recurring patterns in the software's security landscape. This approach provides a clear, objective overview without bias, serving as a factual reference point for auditing and compliance purposes. The content is regularly updated to reflect the latest findings and patch status, ensuring that users have access to current and relevant security intelligence.

Vendor: coder

CVE IDTitleCVSSSeverityPublished
CVE-2026-55438 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing CWE-346 5.8 Medium2026-07-08
CVE-2026-55437 Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component CWE-79 5.4 Medium2026-07-08
CVE-2026-55436 Coder's AI Bridge Proxy skips TLS certificate verification in default configuration CWE-295 7.4 High2026-07-08
CVE-2026-55433 Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers CWE-862 5.4 Medium2026-07-08
CVE-2026-55432 Coder's sub-agent app registration bypasses template port-sharing policy enforcement CWE-862 5.4 Medium2026-07-08
CVE-2026-55431 Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps CWE-522 7.7 High2026-07-08
CVE-2026-55430 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access CWE-345 5.8 Medium2026-07-08
CVE-2026-55429 Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID CWE-639 8.7 High2026-07-08
CVE-2026-55428 Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator CWE-285 8.2 High2026-07-07
CVE-2026-55427 Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` CWE-74 8.3 High2026-07-07
CVE-2026-55079 Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service CWE-789 4.9 Medium2026-07-07
CVE-2026-55078 Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service CWE-409 6.5 Medium2026-07-07
CVE-2026-55077 Coder: User-admin role can reset owner account password CWE-285 7.2 High2026-07-07
CVE-2026-55076 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking CWE-287 7.4 High2026-07-07
CVE-2026-55075 Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass CWE-287 7.4 High2026-07-07
CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft CWE-347 9.1 Critical2026-07-07
CVE-2026-45796 Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint CWE-918 6.5 Medium2026-07-07
CVE-2026-44454 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent CWE-78 8.1 High2026-07-07
CVE-2026-55434 Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints CWE-770 6.5 Medium2026-07-07
CVE-2026-55435 Suspended Coder users retain access to AI Bridge LLM proxy endpoints CWE-863 5.4 Medium2026-07-07
CVE-2025-66411 Coder logged sensitive objects unsanitized CWE-532 7.8 High2025-12-03
CVE-2025-58437 Coder's privilege escalation vulnerability could lead to a cross workspace compromise CWE-613 8.1 High2025-09-06
CVE-2024-27918 Coder's OIDC authentication allows email with partially matching domain to register CWE-20 8.2 High2024-03-06

All 23 known CVE vulnerabilities affecting coder with full Chinese analysis, references, and POCs where available.