CVE-2026-55428

Coder · Coder

Coder contains an authorization flaw that may allow authenticated users to perform unauthorized actions within the development environment.

Executive summary

An authorization vulnerability in Coder may allow authenticated users to bypass access controls and perform unauthorized operations.

Vulnerability

This issue is classified as an improper authorization (CWE-285) and incorrect authorization (CWE-863) flaw. It requires an authenticated user to exploit, potentially allowing them to perform actions beyond their assigned permissions.

Business impact

With a CVSS score of 8.2, this vulnerability represents a significant risk to the integrity and confidentiality of the Coder platform. Successful exploitation could lead to unauthorized access to sensitive projects or administrative functions, undermining the security model of the organization's development infrastructure.

Remediation

Immediate Action: Upgrade to versions 2.34.2, 2.33.8, 2.32.7, or 2.29.17 to resolve the authorization logic errors.

Proactive Monitoring: Review audit logs for unusual user activity or attempts to access resources outside the scope of expected user permissions.

Compensating Controls: Implement strict Role-Based Access Control (RBAC) and restrict network access to the Coder dashboard to trusted segments.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability highlights a critical failure in access control enforcement. Organizations should immediately apply the vendor-provided patches to ensure that user permissions are correctly validated and enforced across the platform.