Remote Workspace Creation Vulnerability in Coder Software
CVE-2026-44454

8.1HIGH

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-44454?

Coder allows users to create remote development environments through Terraform. In earlier versions, specifically prior to 2.29.7 and 2.30.2, the 'mode=auto' feature enabled workspace creation using deep links that were susceptible to manipulation by attackers. This flaw allowed attackers to provision workspaces with parameters under their control without requiring explicit user consent. The subsequent updates incorporated a consent dialog, ensuring that users are presented with all prefilled parameters, thus preventing unauthorized workspace creation until the user explicitly confirms the action.

Affected Version(s)

coder < 2.29.7 < 2.29.7

coder >= 2.30.0, < 2.30.2 < 2.30.0, 2.30.2

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.