Web Routing Vulnerability in Coder Products
CVE-2026-55430
What is CVE-2026-55430?
The Coder workspace application allows the provisioning of remote development environments via Terraform. Versions prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2 exhibit a vulnerability wherein the workspace app proxy resolves application targets by preferring the X-Forwarded-Host header over the legitimate Host header. This design flaw is particularly concerning as it permits exploitation when subdomain app routing is enabled and when a victim visits an attacker's shared app, allowing client-side JavaScript to dictate the header during fetch() calls. To mitigate this issue, the updated versions have modified the handling of X-Forwarded-Host, only trusting it from verified proxies and relying on the verified request host otherwise. As an additional precaution, deploying an upstream reverse proxy that strips or overwrites the X-Forwarded-Host header for untrusted requests is recommended.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
