Home

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.

PUBLISHED Reserved 2025-11-28 | Published 2025-12-03 | Updated 2025-12-03 | Assigner GitHub_M




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-532: Insertion of Sensitive Information into Log File

Product status

>= 2.28.0, < 2.28.4
affected

>= 2.27.0, < 2.27.7
affected

< 2.26.5
affected

References

github.com/.../coder/security/advisories/GHSA-jf75-p25m-pw74

github.com/...ommit/e2a46393fce40bc630df3293c1ee66a596277289

github.com/coder/coder/releases/tag/v2.26.5

github.com/coder/coder/releases/tag/v2.27.7

github.com/coder/coder/releases/tag/v2.28.4

cve.org (CVE-2025-66411)

nvd.nist.gov (CVE-2025-66411)