Web Routing Vulnerability in Coder Products
CVE-2026-55430

5.8MEDIUM

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-55430?

The Coder workspace application allows the provisioning of remote development environments via Terraform. Versions prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2 exhibit a vulnerability wherein the workspace app proxy resolves application targets by preferring the X-Forwarded-Host header over the legitimate Host header. This design flaw is particularly concerning as it permits exploitation when subdomain app routing is enabled and when a victim visits an attacker's shared app, allowing client-side JavaScript to dictate the header during fetch() calls. To mitigate this issue, the updated versions have modified the handling of X-Forwarded-Host, only trusting it from verified proxies and relying on the verified request host otherwise. As an additional precaution, deploying an upstream reverse proxy that strips or overwrites the X-Forwarded-Host header for untrusted requests is recommended.

Affected Version(s)

coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2

coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7

References

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.