216.73.216.170

CVE-2026-55433

· Published 08/07/2026 03:16 · Author: The MITRE Corporation

Labels: CVE-2026-55433

Essential information

Published
08/07/2026 03:16
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
5.4 MEDIUM (v3.1)
CISA KEV
No
CWE
CWE-862
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CVSS metrics

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.

NVD status

NVD
View on NVD