CVE-2026-55430 PUBLISHED

Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 08.07.2026 Updated: 08.07.2026

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost() which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch() calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip X-Forwarded-Host. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts X-Forwarded-Host only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites X-Forwarded-Host on untrusted requests.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
CVSS Score: 5.8

Product Status

Vendor coder
Product coder
Versions
  • Version >= 2.34.0, < 2.34.2 is affected
  • Version >= 2.33.0, < 2.33.8 is affected
  • Version >= 2.30.0, < 2.32.7 is affected
  • Version < 2.29.17 is affected

References

Problem Types

  • CWE-345: Insufficient Verification of Data Authenticity CWE
  • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') CWE