Home

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.

PUBLISHED Reserved 2026-06-16 | Published 2026-07-08 | Updated 2026-07-08 | Assigner GitHub_M




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-862: Missing Authorization

Product status

>= 2.34.0, < 2.34.2
affected

>= 2.33.0, < 2.33.8
affected

>= 2.30.0, < 2.32.7
affected

< 2.29.17
affected

References

github.com/.../coder/security/advisories/GHSA-jqj2-x4c5-jfxm

github.com/coder/coder/pull/25812

github.com/coder/coder/releases/tag/v2.29.17

github.com/coder/coder/releases/tag/v2.32.7

github.com/coder/coder/releases/tag/v2.33.8

github.com/coder/coder/releases/tag/v2.34.2

cve.org (CVE-2026-55433)

nvd.nist.gov (CVE-2026-55433)

Download JSON