Potential Vulnerability in Coder Development Environment Provisioning via Terraform
CVE-2026-55433
What is CVE-2026-55433?
The Coder platform, which facilitates the provisioning of remote development environments via Terraform, has a vulnerability that permits insufficient authorization checks. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint utilized route middleware that only validated the ActionRead on the workspace. This oversight allowed a low-privilege role to trigger a potentially destructive rebuild without sufficient checks, unlike the more secure delete endpoint that mandates an ActionUpdate authorization. The remediation implemented in the specified versions adds this critical authorization check during execution, enhancing security and protecting user operations.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
