Insecure Transport Issue in Coder's Remote Development Environment Management
CVE-2026-55436

7.4HIGH

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-55436?

Coder's AI Bridge Proxy has a configuration flaw that defaults to using insecure transport settings when establishing outbound HTTPS connections. Specifically, this issue arises when the proxy is not set up with an upstream proxy, leading to potential exploitation via man-in-the-middle attacks. The default method permits any TLS certificate, compromising the integrity of secure communications. Affected versions extend from 2.30.0 up until the patches in 2.32.7, 2.33.8, and 2.34.2, which enforce secure transport unconditionally. Users are advised to employ trusted certificates for Coder access URLs and secure the network path to mitigate risks.

Affected Version(s)

coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2

coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7

References

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.