CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-QRWJ-VH9X-GW5V

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 7, 2026·5 min read·2 visits

Executive Summary (TL;DR)

Insecure HTTP redirect handling in the Coder control plane allows a compromised agent to spoof requests to other workspace agents, enabling cross-tenant file writes and arbitrary code execution.

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Vulnerability Overview

Coder establishes connectivity between users and their workspaces using a secure, peer-to-peer mesh network called Tailnet. The central control-plane daemon, coderd, executes administrative and provisioning actions on workspace agents over this network. These actions are performed via an unauthenticated internal HTTP server running on port 4 of each workspace agent.\n\nBecause these requests traverse a trusted, encrypted tunnel, the agent implicitly trusts any incoming connection. The attack surface resides in how coderd establishes and manages these client connections. A compromised agent can exploit this trust boundary to intercept and redirect requests destined for itself towards other agents.

Root Cause Analysis

The vulnerability stems from insecure HTTP redirect handling in the Go HTTP client used by the Coder control plane. By default, Go's http.Client automatically follows up to ten redirects. Before the patch, the client's transport layer did not customize the CheckRedirect field to disable this behavior.\n\nAdditionally, the custom DialContext function in agentConn.apiClient() dynamically resolved destination addresses based on the request URL's host parameter. When an agent returned an HTTP 307 or 308 redirect, the client parsed the target host from the Location header and dialed it. The code only verified that the destination port matched port 4, without ensuring the destination IP address matched the original, intended agent's IP.\n\nSince Coder allocates deterministic IP addresses to workspace agents based on their UUIDs, an attacker can easily calculate the internal Tailnet IP of any target agent. By forcing a redirect to the victim's deterministic IP, the attacker leverages coderd as an open redirect proxy.

Code-Level Analysis

The vulnerable implementation of apiClient() lacked strict host validation and redirect restrictions. It initialized &http.Client{} with a transport that parsed the dynamically supplied host address directly from the redirect request.\n\ngo\n// Vulnerable code\nfunc (c *agentConn) apiClient(reqCtx context.Context) *http.Client {\n return &http.Client{\n Transport: &http.Transport{\n DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {\n host, port, _ := net.SplitHostPort(addr)\n if port != strconv.Itoa(AgentHTTPAPIServerPort) {\n return nil, errors.New(\"invalid port\")\n }\n ipAddr, _ := netip.ParseAddr(host)\n // Direct dialing to arbitrary IP addresses derived from redirect URL\n return c.Conn.DialContextTCP(ctx, netip.AddrPortFrom(ipAddr, AgentHTTPAPIServerPort))\n },\n },\n }\n}\n\n\nThe patched implementation fixes this by explicitly setting CheckRedirect to reject all redirects, and by pinning the dialed destination to a statically resolved agent address. Additionally, it compares the requested host against this pinned address to detect tampering.\n\ngo\n// Patched code\nCheckRedirect: func(*http.Request, []*http.Request) error {\n // Prevent the client from following redirects entirely\n return http.ErrUseLastResponse\n},\n// Pin dialing to the static, resolved agent address\nagentAddr := netip.AddrPortFrom(c.agentAddress(), AgentHTTPAPIServerPort)\n

Exploitation Methodology

An attacker must first compromise or gain administrative access to their own workspace to deploy a modified agent binary. This malicious agent is configured to listen for control-plane requests from coderd. When coderd requests configuration details or port status, the malicious agent returns an HTTP 307 or 308 redirect.\n\nThe redirect points to the target agent's deterministic tailnet IP on port 4, referencing the target endpoint (e.g., /api/v0/write-file or /api/v0/start-process). Because HTTP 307 and 308 codes preserve the original request method and payload body, coderd replays the administrative action to the victim agent.\n\nmermaid\ngraph LR\n AttackerAgent[\"Malicious Agent (Attacker Workspace)\"]\n CoderD[\"Coder Control Plane (coderd)\"]\n VictimAgent[\"Victim Agent (Target Workspace)\"]\n\n CoderD -->|\"1. Send API request\"| AttackerAgent\n AttackerAgent -->|\"2. HTTP 307 Redirect (to Victim IP)\"| CoderD\n CoderD -->|\"3. Replay Request to Port 4\"| VictimAgent\n\n\nThe victim agent receives the request over the trusted Tailnet, validates the source as coderd, and performs the requested operation. An attacker can write arbitrary files to the victim workspace filesystem and subsequently execute them, achieving remote code execution.

Impact Assessment

The security impact of this vulnerability is high, carrying a CVSS score of 8.0. Successful exploitation allows complete cross-tenant isolation bypass within a single Coder deployment. An attacker can read sensitive files, modify environment configurations, and execute commands under the privileges of the victim's workspace agent.\n\nBecause workspace agents often run with privileges that allow access to cloud credentials, source code repositories, and local development tools, this compromise can lead to broader lateral movement. The vulnerability is tracked as GHSA-QRWJ-VH9X-GW5V. No widespread public exploitation has been reported in the wild.

Remediation and Defense

To remediate this vulnerability, administrators must update their Coder deployment to one of the patched releases. The vulnerability is addressed in versions v2.34.4, v2.33.10, v2.32.9, and v2.29.19 (ESR).\n\nIf an immediate upgrade is not feasible, administrators should monitor the Tailnet network for anomalous HTTP redirect codes. In standard environments, workspace agents do not return redirect responses to the control plane. Post-upgrade, Coder will log warning events with the text "blocked workspace agent API request to unintended host" if redirect manipulation is attempted.

Technical Appendix

CVSS Score
8.0/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected Systems

Coder Workspace Agent Client
AttributeDetail
CWE IDCWE-918 (Server-Side Request Forgery)
Attack VectorNetwork (AV:N)
CVSS8.0 (High)
EPSS ScoreNot Available
ImpactRemote Code Execution (RCE) / Unauthorized File Access
Exploit StatusPoC (Proof of Concept)
KEV StatusNot Listed
CWE-918
Server-Side Request Forgery (SSRF)

Vulnerability Timeline

Security fix engineered and commits merged under Issue CODAGT-668
2026-06-23
Official publication of the security advisory (GHSA-QRWJ-VH9X-GW5V)
2026-07-06

References & Sources

  • [1]Official Security Advisory (GitHub)
  • [2]Fix Pull Request #26600

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•11 minutes ago•CVE-2026-55793
5.9

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

Alon Barad
Alon Barad
0 views•8 min read
•41 minutes ago•CVE-2026-55794
8.7

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

Amit Schendel
Amit Schendel
1 views•6 min read
•about 1 hour ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
1 views•5 min read
•about 2 hours ago•CVE-2026-35341
7.1

CVE-2026-35341: Local Privilege Escalation and Permission Degradation in uutils coreutils mkfifo

CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.

Alon Barad
Alon Barad
2 views•7 min read
•about 3 hours ago•CVE-2026-35361
3.4

CVE-2026-35361: Security Permission Bypass via Improper File Cleanup in uutils coreutils mknod

A security permission bypass vulnerability exists in the mknod utility of uutils coreutils on Linux systems utilizing SELinux. The utility fails to atomically assign SELinux security contexts during special file creation. When assignment fails, the program attempts cleanup using an incorrect file system API, which fails silently. This leaves mislabeled, orphaned special files on disk with potentially weaker default inherited permissions.

Amit Schendel
Amit Schendel
2 views•9 min read
•about 3 hours ago•CVE-2026-35381
3.3

CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility

A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.

Alon Barad
Alon Barad
6 views•7 min read