CVE-2026-55428 PUBLISHED

Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 07.07.2026 Updated: 08.07.2026

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each AllowedIPs prefix against the authenticating agent's UUID just like Addresses. As a workaround, monitor coordinator logs for agents advertising unexpected AllowedIPs prefixes.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 8.2

Product Status

Vendor coder
Product coder
Versions
  • Version >= 2.34.0, < 2.34.2 is affected
  • Version >= 2.33.0, < 2.33.8 is affected
  • Version >= 2.30.0, < 2.32.7 is affected
  • Version < 2.29.17 is affected

References

Problem Types

  • CWE-285: Improper Authorization CWE
  • CWE-863: Incorrect Authorization CWE