CVE-2026-55430

Source
https://cve.org/CVERecord?id=CVE-2026-55430
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55430.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55430
Aliases
Published
2026-07-08T00:03:29.728Z
Modified
2026-07-10T04:02:53.394517416Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Details

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost() which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch() calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip X-Forwarded-Host. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts X-Forwarded-Host only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites X-Forwarded-Host on untrusted requests.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55430.json",
    "cwe_ids": [
        "CWE-345",
        "CWE-441"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/coder/coder

Affected ranges

Type
GIT
Repo
https://github.com/coder/coder
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.29.17"
        },
        {
            "introduced": "2.30.0"
        },
        {
            "fixed": "2.32.7"
        },
        {
            "introduced": "2.33.0"
        },
        {
            "fixed": "2.33.8"
        },
        {
            "introduced": "2.34.0"
        },
        {
            "fixed": "2.34.2"
        }
    ]
}

Affected versions

Other
rm
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.12.6
v0.12.7
v0.12.8
v0.12.9
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.22.0
v0.22.1
v0.22.2
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.23.6
v0.23.7
v0.24.0
v0.24.1
v0.25.0
v0.26.0
v0.26.1
v0.26.2
v0.27.0
v0.27.1
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.13
v0.8.14
v0.8.15
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v2.*
v2.0.2
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.10.0
v2.2.1
v2.29.0
v2.29.1
v2.29.10
v2.29.11
v2.29.12
v2.29.13
v2.29.14
v2.29.15
v2.29.16
v2.29.2
v2.29.3
v2.29.4
v2.29.5
v2.29.6
v2.29.7
v2.29.8
v2.29.9
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.32.0
v2.32.0-rc.0
v2.32.1
v2.32.2
v2.32.3
v2.32.4
v2.32.5
v2.32.6
v2.33.0
v2.33.0-rc.0
v2.33.1
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.34.0
v2.34.1
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55430.json"