CVE-2026-44454

Coder · Coder

Coder is vulnerable to OS command injection, which can be triggered by unauthenticated users through specially crafted requests.

Executive summary

An OS command injection vulnerability in Coder could allow an unauthenticated attacker to execute arbitrary commands on the host system.

Vulnerability

This is an OS command injection vulnerability (CWE-78) where improper neutralization of special elements allows attackers to inject and execute commands. The vulnerability is exploitable by unauthenticated remote users.

Business impact

With a CVSS score of 8.1, this vulnerability poses a high risk to the host environment. An attacker can leverage this flaw to gain unauthorized control over the server, potentially stealing credentials, exfiltrating data, or establishing persistence, leading to significant reputational and operational damage.

Remediation

Immediate Action: Update the Coder installation to version 2.29.7 or 2.30.2 to remediate the command injection flaw.

Proactive Monitoring: Inspect system processes and network traffic for suspicious command execution patterns or unauthorized outbound connections.

Compensating Controls: Utilize a WAF to inspect incoming HTTP requests for malicious command sequences or shell metacharacters that target this vulnerability.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Command injection is a critical vulnerability that requires immediate attention. Organizations must verify their current version of Coder and apply the necessary patches immediately to prevent potential remote code execution by unauthenticated adversaries.