CVE-2026-55438

Source
https://cve.org/CVERecord?id=CVE-2026-55438
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55438.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55438
Aliases
Published
2026-07-08T00:31:20.573Z
Modified
2026-07-10T04:02:32.177258880Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Details

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55438.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-346"
    ]
}
References

Affected packages

Git / github.com/coder/coder

Affected ranges

Type
GIT
Repo
https://github.com/coder/coder
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.29.17"
        },
        {
            "introduced": "2.30.0"
        },
        {
            "fixed": "2.32.7"
        },
        {
            "introduced": "2.33.0"
        },
        {
            "fixed": "2.33.8"
        },
        {
            "introduced": "2.34.0"
        },
        {
            "fixed": "2.34.2"
        }
    ]
}

Affected versions

Other
rm
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.12.6
v0.12.7
v0.12.8
v0.12.9
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.22.0
v0.22.1
v0.22.2
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.23.6
v0.23.7
v0.24.0
v0.24.1
v0.25.0
v0.26.0
v0.26.1
v0.26.2
v0.27.0
v0.27.1
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.13
v0.8.14
v0.8.15
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v2.*
v2.0.2
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.10.0
v2.2.1
v2.29.0
v2.29.1
v2.29.10
v2.29.11
v2.29.12
v2.29.13
v2.29.14
v2.29.15
v2.29.16
v2.29.2
v2.29.3
v2.29.4
v2.29.5
v2.29.6
v2.29.7
v2.29.8
v2.29.9
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.32.0
v2.32.0-rc.0
v2.32.1
v2.32.2
v2.32.3
v2.32.4
v2.32.5
v2.32.6
v2.33.0
v2.33.0-rc.0
v2.33.1
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.34.0
v2.34.1
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55438.json"