Published : July 8, 2026, 12:16 a.m. | 58 minutes ago
Description :Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app’s `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner’s `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-55429
N/A
Upon discovery of CVE-2026-55429, which is understood to be a critical pre-authentication Remote Code Execution (RCE) vulnerability in a widely deployed network service, immediate action is paramount to prevent exploitation and mitigate potential damage.
a. Emergency Isolation and Network Control
i. Identify and isolate all instances of the affected service. If immediate patching is not possible, consider temporarily disconnecting internet-facing instances or placing them behind a restrictive firewall.
ii. Implement perimeter firewall rules to block all external access to the vulnerable service's default ports. If the service must remain accessible, restrict access to only trusted IP ranges (e.g., VPN gateways, internal networks).
iii. For services exposed via HTTP/S, deploy Web Application Firewall (WAF) rules to block suspicious or malformed requests that could trigger the vulnerability. Specifically, look for capabilities to filter or sanitize complex header structures, unusual request methods, or abnormally long/malformed input fields that the service might process pre-authentication.
b. Incident Response Activation
i. Immediately activate your organization's incident response plan.
ii. Initiate a forensic investigation on any systems suspected of compromise. Look for unusual process activity, new user accounts, unauthorized network connections, or unexpected file modifications originating from the service account running the vulnerable application.
c. Inventory and Prioritization
i. Conduct an urgent inventory scan to identify all systems running the affected software/service across your environment.
ii. Prioritize remediation efforts based on exposure (internet-facing vs. internal), criticality of data processed, and potential blast radius. Internet-facing and mission-critical systems must be addressed first.
d. Data Backup
i. Ensure recent, verified backups of all critical data and system configurations associated with the affected service are available. This is crucial for recovery in case of successful exploitation.
2. PATCH AND UPDATE INFORMATION
The most effective long-term remediation is to apply vendor-provided patches.
a. Vendor Monitoring
i. Continuously monitor official vendor advisories, security bulletins, and support channels for the affected software. Expect a patch release to address CVE-2026-55429.
ii. Subscribe to security mailing lists and RSS feeds from the vendor to receive real-time updates.
b. Patch Application
i. Once available, acquire the official security patch from the vendor.
ii. Prioritize patching critical, internet-facing systems first, followed by internal production systems, and then development/test environments.
iii. Before deploying to production, thoroughly test the patch in a non-production environment to ensure compatibility and stability with existing applications and infrastructure.
iv. Follow the vendor's recommended patching procedure precisely. This may involve specific installation steps, service restarts, or configuration changes.
c. Version Control
i. Verify that all instances of the affected software are updated to the patched version. Maintain strict version control to prevent reintroduction of vulnerable versions.
3. MITIGATION STRATEGIES
If immediate patching is not feasible, or as a temporary measure while awaiting a patch, implement the following mitigation strategies.
a. Network Segmentation and Access Control
i. Implement strict network segmentation to isolate the vulnerable service from other critical systems.
ii. Enforce the principle of least privilege for network access. Restrict