CVE-2026-55429
Coder · Coder
An authorization bypass vulnerability in Coder allows an authenticated user with administrative privileges to manipulate remote development environment provisioning via Terraform.
Executive summary
An authorization bypass vulnerability in Coder allows privileged users to perform unauthorized actions on remote development environments, posing a risk to infrastructure integrity.
Vulnerability
The vulnerability (CWE-639) exists in the way Coder processes provisioning requests via Terraform. A user-controlled key allows an authenticated administrator to bypass intended authorization checks, potentially affecting the integrity of remote development environments.
Business impact
The CVSS score of 8.7 (High) underscores the severity of this authorization bypass. Successful exploitation could allow unauthorized modification or provisioning of development environments, potentially leading to supply chain compromises, unauthorized access to source code, or internal infrastructure manipulation.
Remediation
Immediate Action: Upgrade to the patched versions: 2.34.2, 2.33.8, 2.32.7, or 2.29.17 as specified in the vendor security advisory.
Proactive Monitoring: Audit recent Terraform provisioning logs and environment change logs to identify any unauthorized or unexpected resource modifications.
Compensating Controls: Implement strict Role-Based Access Control (RBAC) and limit the number of users with administrative access to the Coder platform until patching is complete.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the critical nature of remote development environments in software delivery, this update should be performed immediately. Administrators must ensure all instances of Coder are updated to the specified secure versions to prevent potential unauthorized infrastructure provisioning.