๐Ÿ” CVE Alert

CVE-2026-55433

MEDIUM 5.4

Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.

CWE CWE-862
Vendor coder
Product coder
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for coder coder

Be the first to know when new medium vulnerabilities affecting coder coder are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Affected Versions

coder / coder
>= 2.34.0, < 2.34.2 >= 2.33.0, < 2.33.8 >= 2.30.0, < 2.32.7 < 2.29.17

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/coder/coder/security/advisories/GHSA-jqj2-x4c5-jfxm github.com: https://github.com/coder/coder/pull/25812 github.com: https://github.com/coder/coder/releases/tag/v2.29.17 github.com: https://github.com/coder/coder/releases/tag/v2.32.7 github.com: https://github.com/coder/coder/releases/tag/v2.33.8 github.com: https://github.com/coder/coder/releases/tag/v2.34.2