CVE-2026-55428 - Coder Vulnerability Route Hijacking Risk
CVE-2026-55428 - Coder Vulnerability: Route Hijacking Risk
CVE-2026-55428 details a vulnerability in Coder concerning route hijacking through a lack of validation of agent-supplied AllowedIPs in the tailnet coordinator. Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent’s Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration. 🚨
Fix and Workaround
The fix for this issue is included in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2. These updated versions validate each AllowedIPs prefix against the authenticating agent’s UUID, mirroring the checks applied to Addresses. As a recommended workaround, organizations should monitor coordinator logs for agents advertising unexpected AllowedIPs prefixes. 📊
Affected Versions
The CVE-2026-55428 vulnerability was officially received on July 8, 2026. Specific affected Coder product versions include those ranging from >= 2.34.0 to < 2.34.2, from >= 2.33.0 to < 2.33.8, from >= 2.30.0 to < 2.32.7, and all versions < 2.29.17. ⚠️
CVSS Score
This vulnerability has been assigned a CVSS V3.1 score of AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N. It is also associated with two Common Weakness Enumerations (CWEs): CWE-285 and CWE-863.
For further information and detailed changes, the following references are available:
To read the complete article see: Read full article