Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-5g4w-3vw9-478w: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

0
Medium
Published: 07/06/2026 (07/06/2026, 21:05:31 UTC)
Source: GCVE Database
Product: github.com/coder/coder/v2

Description

A vulnerability in Coder's subdomain workspace app routing allows an attacker to exploit the unauthenticated X-Forwarded-Host header to access cross-app data. The app proxy prefers the X-Forwarded-Host header over the real Host header without stripping or validating it, enabling an attacker controlling a shared app to forge this header and access private app data of a victim. Exploitation requires subdomain app routing enabled and no upstream proxy stripping the header. The issue is patched in versions 2.34.2, 2.33.8, 2.32.7, and 2.29.17.

CVSS v3.1

Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

Affected software

Goghsa
github.com/coder/coder/v2
Affected versions
>=2.34.0 <2.34.2
Goghsa
github.com/coder/coder/v2
Affected versions
>=2.33.0 <2.33.8
Goghsa
github.com/coder/coder/v2
Affected versions
>=2.30.0 <2.32.7
Goghsa
github.com/coder/coder/v2
Affected versions
<2.29.17

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 23:12:34 UTC

Technical Analysis

The workspace app proxy in github.com/coder/coder/v2 resolves the target app from httpapi.RequestHost(), which prioritizes the X-Forwarded-Host header over the actual Host header. Because no middleware strips or validates this header and it is not restricted by browsers, client-side JavaScript can set it in fetch() calls. When subdomain app routing (wildcard hostname) is enabled and the upstream proxy does not remove X-Forwarded-Host, an attacker controlling a shared workspace app can send requests with a forged X-Forwarded-Host pointing to a victim's private app. The server routes based on this attacker-controlled header but authorizes using the victim's session cookie scoped to the wildcard domain, allowing the attacker to read private app responses. The vulnerability is fixed by trusting X-Forwarded-Host only from configured trusted proxies and otherwise using the verified request host. The fix is backported to all supported release lines including 2.34.2, 2.33.8, 2.32.7, and 2.29.17.

Potential Impact

An attacker who controls a shared workspace app can exploit this vulnerability to read private app data of other users by forging the X-Forwarded-Host header. This leads to unauthorized disclosure of sensitive information scoped to subdomain app routing environments. The attack requires specific deployment conditions: subdomain app routing enabled and no upstream proxy stripping the X-Forwarded-Host header. The vulnerability does not affect availability or integrity but results in a confidentiality breach.

Mitigation Recommendations

A fix is available and has been backported to all supported release lines: 2.34.2, 2.33.8, 2.32.7, and 2.29.17. Users should upgrade to these versions or later. As a workaround, deploy an upstream reverse proxy that strips or overwrites the X-Forwarded-Host header on untrusted requests to prevent exploitation. The fix ensures that X-Forwarded-Host is trusted only from configured trusted proxies and otherwise uses the verified request host for routing.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-5g4w-3vw9-478w
Osv Schema Version
1.4.0
Aliases
["CVE-2026-55430"]
Ecosystems
["Go"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a4c340327e9c797195f5f40

Added to database: 07/06/2026, 23:02:27 UTC

Last enriched: 07/06/2026, 23:12:34 UTC

Last updated: 07/06/2026, 23:12:34 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses