Remote Development Environment Vulnerability in Coder by Coder
CVE-2026-55431
What is CVE-2026-55431?
The Coder application has a vulnerability that allows the execution of external workspace-app URLs without proper validation of their schemes or hosts. This issue arises when users invoke the coder open app command linked to a workspace controlled by an attacker. If the external URL includes the '$SESSION_TOKEN' placeholder, it can be exploited to substitute the placeholder with the user's actual session token, thereby compromising user data. To mitigate risk, versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 have implemented a URL-scheme allowlist, restricting the replacement of '$SESSION_TOKEN' to trusted URLs only. Users are advised to refrain from using coder open app in untrusted environments.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
