Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-5wg6-jmq2-53pw | Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Jul 2026 03:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Coder
Coder coder |
|
| Vendors & Products |
Coder
Coder coder |
Wed, 08 Jul 2026 01:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available. | |
| Title | Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing | |
| Weaknesses | CWE-346 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T17:10:30.943Z
Reserved: 2026-06-16T21:59:57.017Z
Link: CVE-2026-55438
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T03:00:04Z
Weaknesses
Github GHSA