Remote Workspace Creation Vulnerability in Coder Software
CVE-2026-44454
8.1HIGH
What is CVE-2026-44454?
Coder allows users to create remote development environments through Terraform. In earlier versions, specifically prior to 2.29.7 and 2.30.2, the 'mode=auto' feature enabled workspace creation using deep links that were susceptible to manipulation by attackers. This flaw allowed attackers to provision workspaces with parameters under their control without requiring explicit user consent. The subsequent updates incorporated a consent dialog, ensuring that users are presented with all prefilled parameters, thus preventing unauthorized workspace creation until the user explicitly confirms the action.
Affected Version(s)
coder < 2.29.7 < 2.29.7
coder >= 2.30.0, < 2.30.2 < 2.30.0, 2.30.2
