GHSA-WRQ8-FCV5-8HVP

Vulnerability from github – Published: 2026-07-06 20:58 – Updated: 2026-07-06 20:58
VLAI
Summary
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
Details

Summary

The tailnet coordinator validates that an agent's Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration.

Impact

A malicious workspace agent can advertise arbitrary AllowedIPs prefixes including another agent's tailnet address. Coder's ServerTailnet routes to agents by tailnet IP so an agent that claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. Exploitation requires an authenticated user with a running workspace and a modified agent binary.

Patches

The fix validates each AllowedIPs prefix against the authenticating agent's UUID just like Addresses.

The fix was backported to all supported release lines:

Release line Patched version
2.34 v2.34.2
2.33 v2.33.8
2.32 v2.32.7
2.29 (ESR) v2.29.17

Workarounds

Operators who cannot upgrade immediately should monitor coordinator logs for agents advertising unexpected AllowedIPs prefixes.

Resources

  • Fix: #26144

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22451) for independently disclosing this issue!

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.34.0"
            },
            {
              "fixed": "2.34.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.33.0"
            },
            {
              "fixed": "2.33.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.30.0"
            },
            {
              "fixed": "2.32.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.29.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T20:58:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe tailnet coordinator validates that an agent\u0027s `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration.\n\n### Impact\n\nA malicious workspace agent can advertise arbitrary `AllowedIPs` prefixes including another agent\u0027s tailnet address. Coder\u0027s `ServerTailnet` routes to agents by tailnet IP so an agent that claims a victim\u0027s prefix can intercept web terminal and workspace app traffic and serve spoofed content. Exploitation requires an authenticated user with a running workspace and a modified agent binary.\n\n### Patches\n\nThe fix validates each `AllowedIPs` prefix against the authenticating agent\u0027s UUID just like `Addresses`.\n\nThe fix was backported to all supported release lines:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n| 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) |\n\n### Workarounds\n\nOperators who cannot upgrade immediately should monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes.\n\n### Resources\n\n- Fix: #26144\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22451) for independently disclosing this issue!",
  "id": "GHSA-wrq8-fcv5-8hvp",
  "modified": "2026-07-06T20:58:30Z",
  "published": "2026-07-06T20:58:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/security/advisories/GHSA-wrq8-fcv5-8hvp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/pull/26144"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coder/coder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…