CVE-2026-44454
Coder · Coder
Coder is vulnerable to OS command injection, which can be triggered by unauthenticated users through specially crafted requests.
Executive summary
An OS command injection vulnerability in Coder could allow an unauthenticated attacker to execute arbitrary commands on the host system.
Vulnerability
This is an OS command injection vulnerability (CWE-78) where improper neutralization of special elements allows attackers to inject and execute commands. The vulnerability is exploitable by unauthenticated remote users.
Business impact
With a CVSS score of 8.1, this vulnerability poses a high risk to the host environment. An attacker can leverage this flaw to gain unauthorized control over the server, potentially stealing credentials, exfiltrating data, or establishing persistence, leading to significant reputational and operational damage.
Remediation
Immediate Action: Update the Coder installation to version 2.29.7 or 2.30.2 to remediate the command injection flaw.
Proactive Monitoring: Inspect system processes and network traffic for suspicious command execution patterns or unauthorized outbound connections.
Compensating Controls: Utilize a WAF to inspect incoming HTTP requests for malicious command sequences or shell metacharacters that target this vulnerability.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Command injection is a critical vulnerability that requires immediate attention. Organizations must verify their current version of Coder and apply the necessary patches immediately to prevent potential remote code execution by unauthenticated adversaries.