๐Ÿ” CVE Alert

CVE-2026-55428

HIGH 8.2

Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator

CVSS Score
8.2
EPSS Score
0.0%
EPSS Percentile
0th

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent's UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes.

CWE CWE-285 CWE-863
Vendor coder
Product coder
Published Jul 7, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for coder coder

Be the first to know when new high vulnerabilities affecting coder coder are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

coder / coder
>= 2.34.0, < 2.34.2 >= 2.33.0, < 2.33.8 >= 2.30.0, < 2.32.7 < 2.29.17

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp github.com: https://github.com/coder/coder/pull/26144 github.com: https://github.com/coder/coder/releases/tag/v2.29.17 github.com: https://github.com/coder/coder/releases/tag/v2.32.7 github.com: https://github.com/coder/coder/releases/tag/v2.33.8 github.com: https://github.com/coder/coder/releases/tag/v2.34.2