Denial of Service Vulnerability in Coder's Terraform Development Environment
CVE-2026-55078

6.5MEDIUM

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-55078?

The vulnerability in Coder's development environments concerns a flaw in the file upload mechanism. Specifically, when zips are uploaded via the API, the system converts them to tar files in memory. This process correctly applies a size limit per entry but fails to impose a total size limit on the entire decompressed data. As a result, it can lead to an unbounded in-memory buffer allocation, resulting in a Denial of Service condition. Proper mitigation requires updating to safe versions where preflight checks and size limit enforcement mechanisms have been implemented. Organizations running affected versions should restrict user permissions for file uploads or implement reverse proxies to mitigate potential exploitation.

Affected Version(s)

coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2

coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.