Potential Vulnerability in Coder Development Environment Provisioning via Terraform
CVE-2026-55433

5.4MEDIUM

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-55433?

The Coder platform, which facilitates the provisioning of remote development environments via Terraform, has a vulnerability that permits insufficient authorization checks. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint utilized route middleware that only validated the ActionRead on the workspace. This oversight allowed a low-privilege role to trigger a potentially destructive rebuild without sufficient checks, unlike the more secure delete endpoint that mandates an ActionUpdate authorization. The remediation implemented in the specified versions adds this critical authorization check during execution, enhancing security and protecting user operations.

Affected Version(s)

coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2

coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.