Jul 7, 2026·5 min read·2 visits
Insecure HTTP redirect handling in the Coder control plane allows a compromised agent to spoof requests to other workspace agents, enabling cross-tenant file writes and arbitrary code execution.
An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.
Coder establishes connectivity between users and their workspaces using a secure, peer-to-peer mesh network called Tailnet. The central control-plane daemon, coderd, executes administrative and provisioning actions on workspace agents over this network. These actions are performed via an unauthenticated internal HTTP server running on port 4 of each workspace agent.\n\nBecause these requests traverse a trusted, encrypted tunnel, the agent implicitly trusts any incoming connection. The attack surface resides in how coderd establishes and manages these client connections. A compromised agent can exploit this trust boundary to intercept and redirect requests destined for itself towards other agents.
The vulnerability stems from insecure HTTP redirect handling in the Go HTTP client used by the Coder control plane. By default, Go's http.Client automatically follows up to ten redirects. Before the patch, the client's transport layer did not customize the CheckRedirect field to disable this behavior.\n\nAdditionally, the custom DialContext function in agentConn.apiClient() dynamically resolved destination addresses based on the request URL's host parameter. When an agent returned an HTTP 307 or 308 redirect, the client parsed the target host from the Location header and dialed it. The code only verified that the destination port matched port 4, without ensuring the destination IP address matched the original, intended agent's IP.\n\nSince Coder allocates deterministic IP addresses to workspace agents based on their UUIDs, an attacker can easily calculate the internal Tailnet IP of any target agent. By forcing a redirect to the victim's deterministic IP, the attacker leverages coderd as an open redirect proxy.
The vulnerable implementation of apiClient() lacked strict host validation and redirect restrictions. It initialized &http.Client{} with a transport that parsed the dynamically supplied host address directly from the redirect request.\n\ngo\n// Vulnerable code\nfunc (c *agentConn) apiClient(reqCtx context.Context) *http.Client {\n return &http.Client{\n Transport: &http.Transport{\n DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {\n host, port, _ := net.SplitHostPort(addr)\n if port != strconv.Itoa(AgentHTTPAPIServerPort) {\n return nil, errors.New(\"invalid port\")\n }\n ipAddr, _ := netip.ParseAddr(host)\n // Direct dialing to arbitrary IP addresses derived from redirect URL\n return c.Conn.DialContextTCP(ctx, netip.AddrPortFrom(ipAddr, AgentHTTPAPIServerPort))\n },\n },\n }\n}\n\n\nThe patched implementation fixes this by explicitly setting CheckRedirect to reject all redirects, and by pinning the dialed destination to a statically resolved agent address. Additionally, it compares the requested host against this pinned address to detect tampering.\n\ngo\n// Patched code\nCheckRedirect: func(*http.Request, []*http.Request) error {\n // Prevent the client from following redirects entirely\n return http.ErrUseLastResponse\n},\n// Pin dialing to the static, resolved agent address\nagentAddr := netip.AddrPortFrom(c.agentAddress(), AgentHTTPAPIServerPort)\n
An attacker must first compromise or gain administrative access to their own workspace to deploy a modified agent binary. This malicious agent is configured to listen for control-plane requests from coderd. When coderd requests configuration details or port status, the malicious agent returns an HTTP 307 or 308 redirect.\n\nThe redirect points to the target agent's deterministic tailnet IP on port 4, referencing the target endpoint (e.g., /api/v0/write-file or /api/v0/start-process). Because HTTP 307 and 308 codes preserve the original request method and payload body, coderd replays the administrative action to the victim agent.\n\nmermaid\ngraph LR\n AttackerAgent[\"Malicious Agent (Attacker Workspace)\"]\n CoderD[\"Coder Control Plane (coderd)\"]\n VictimAgent[\"Victim Agent (Target Workspace)\"]\n\n CoderD -->|\"1. Send API request\"| AttackerAgent\n AttackerAgent -->|\"2. HTTP 307 Redirect (to Victim IP)\"| CoderD\n CoderD -->|\"3. Replay Request to Port 4\"| VictimAgent\n\n\nThe victim agent receives the request over the trusted Tailnet, validates the source as coderd, and performs the requested operation. An attacker can write arbitrary files to the victim workspace filesystem and subsequently execute them, achieving remote code execution.
The security impact of this vulnerability is high, carrying a CVSS score of 8.0. Successful exploitation allows complete cross-tenant isolation bypass within a single Coder deployment. An attacker can read sensitive files, modify environment configurations, and execute commands under the privileges of the victim's workspace agent.\n\nBecause workspace agents often run with privileges that allow access to cloud credentials, source code repositories, and local development tools, this compromise can lead to broader lateral movement. The vulnerability is tracked as GHSA-QRWJ-VH9X-GW5V. No widespread public exploitation has been reported in the wild.
To remediate this vulnerability, administrators must update their Coder deployment to one of the patched releases. The vulnerability is addressed in versions v2.34.4, v2.33.10, v2.32.9, and v2.29.19 (ESR).\n\nIf an immediate upgrade is not feasible, administrators should monitor the Tailnet network for anomalous HTTP redirect codes. In standard environments, workspace agents do not return redirect responses to the control plane. Post-upgrade, Coder will log warning events with the text "blocked workspace agent API request to unintended host" if redirect manipulation is attempted.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L| Attribute | Detail |
|---|---|
| CWE ID | CWE-918 (Server-Side Request Forgery) |
| Attack Vector | Network (AV:N) |
| CVSS | 8.0 (High) |
| EPSS Score | Not Available |
| Impact | Remote Code Execution (RCE) / Unauthorized File Access |
| Exploit Status | PoC (Proof of Concept) |
| KEV Status | Not Listed |
CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.
Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.
An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.
CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.
A security permission bypass vulnerability exists in the mknod utility of uutils coreutils on Linux systems utilizing SELinux. The utility fails to atomically assign SELinux security contexts during special file creation. When assignment fails, the program attempts cleanup using an incorrect file system API, which fails silently. This leaves mislabeled, orphaned special files on disk with potentially weaker default inherited permissions.
A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.