Insecure Transport Issue in Coder's Remote Development Environment Management
CVE-2026-55436
What is CVE-2026-55436?
Coder's AI Bridge Proxy has a configuration flaw that defaults to using insecure transport settings when establishing outbound HTTPS connections. Specifically, this issue arises when the proxy is not set up with an upstream proxy, leading to potential exploitation via man-in-the-middle attacks. The default method permits any TLS certificate, compromising the integrity of secure communications. Affected versions extend from 2.30.0 up until the patches in 2.32.7, 2.33.8, and 2.34.2, which enforce secure transport unconditionally. Users are advised to employ trusted certificates for Coder access URLs and secure the network path to mitigate risks.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
