GHSA-5g4w-3vw9-478w: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
A vulnerability in Coder's subdomain workspace app routing allows an attacker to exploit the unauthenticated X-Forwarded-Host header to access cross-app data. The app proxy prefers the X-Forwarded-Host header over the real Host header without stripping or validating it, enabling an attacker controlling a shared app to forge this header and access private app data of a victim. Exploitation requires subdomain app routing enabled and no upstream proxy stripping the header. The issue is patched in versions 2.34.2, 2.33.8, 2.32.7, and 2.29.17.
AI Analysis
Technical Summary
The workspace app proxy in github.com/coder/coder/v2 resolves the target app from httpapi.RequestHost(), which prioritizes the X-Forwarded-Host header over the actual Host header. Because no middleware strips or validates this header and it is not restricted by browsers, client-side JavaScript can set it in fetch() calls. When subdomain app routing (wildcard hostname) is enabled and the upstream proxy does not remove X-Forwarded-Host, an attacker controlling a shared workspace app can send requests with a forged X-Forwarded-Host pointing to a victim's private app. The server routes based on this attacker-controlled header but authorizes using the victim's session cookie scoped to the wildcard domain, allowing the attacker to read private app responses. The vulnerability is fixed by trusting X-Forwarded-Host only from configured trusted proxies and otherwise using the verified request host. The fix is backported to all supported release lines including 2.34.2, 2.33.8, 2.32.7, and 2.29.17.
Potential Impact
An attacker who controls a shared workspace app can exploit this vulnerability to read private app data of other users by forging the X-Forwarded-Host header. This leads to unauthorized disclosure of sensitive information scoped to subdomain app routing environments. The attack requires specific deployment conditions: subdomain app routing enabled and no upstream proxy stripping the X-Forwarded-Host header. The vulnerability does not affect availability or integrity but results in a confidentiality breach.
Mitigation Recommendations
A fix is available and has been backported to all supported release lines: 2.34.2, 2.33.8, 2.32.7, and 2.29.17. Users should upgrade to these versions or later. As a workaround, deploy an upstream reverse proxy that strips or overwrites the X-Forwarded-Host header on untrusted requests to prevent exploitation. The fix ensures that X-Forwarded-Host is trusted only from configured trusted proxies and otherwise uses the verified request host for routing.
GHSA-5g4w-3vw9-478w: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Description
A vulnerability in Coder's subdomain workspace app routing allows an attacker to exploit the unauthenticated X-Forwarded-Host header to access cross-app data. The app proxy prefers the X-Forwarded-Host header over the real Host header without stripping or validating it, enabling an attacker controlling a shared app to forge this header and access private app data of a victim. Exploitation requires subdomain app routing enabled and no upstream proxy stripping the header. The issue is patched in versions 2.34.2, 2.33.8, 2.32.7, and 2.29.17.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The workspace app proxy in github.com/coder/coder/v2 resolves the target app from httpapi.RequestHost(), which prioritizes the X-Forwarded-Host header over the actual Host header. Because no middleware strips or validates this header and it is not restricted by browsers, client-side JavaScript can set it in fetch() calls. When subdomain app routing (wildcard hostname) is enabled and the upstream proxy does not remove X-Forwarded-Host, an attacker controlling a shared workspace app can send requests with a forged X-Forwarded-Host pointing to a victim's private app. The server routes based on this attacker-controlled header but authorizes using the victim's session cookie scoped to the wildcard domain, allowing the attacker to read private app responses. The vulnerability is fixed by trusting X-Forwarded-Host only from configured trusted proxies and otherwise using the verified request host. The fix is backported to all supported release lines including 2.34.2, 2.33.8, 2.32.7, and 2.29.17.
Potential Impact
An attacker who controls a shared workspace app can exploit this vulnerability to read private app data of other users by forging the X-Forwarded-Host header. This leads to unauthorized disclosure of sensitive information scoped to subdomain app routing environments. The attack requires specific deployment conditions: subdomain app routing enabled and no upstream proxy stripping the X-Forwarded-Host header. The vulnerability does not affect availability or integrity but results in a confidentiality breach.
Mitigation Recommendations
A fix is available and has been backported to all supported release lines: 2.34.2, 2.33.8, 2.32.7, and 2.29.17. Users should upgrade to these versions or later. As a workaround, deploy an upstream reverse proxy that strips or overwrites the X-Forwarded-Host header on untrusted requests to prevent exploitation. The fix ensures that X-Forwarded-Host is trusted only from configured trusted proxies and otherwise uses the verified request host for routing.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-5g4w-3vw9-478w
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-55430"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a4c340327e9c797195f5f40
Added to database: 07/06/2026, 23:02:27 UTC
Last enriched: 07/06/2026, 23:12:34 UTC
Last updated: 07/06/2026, 23:12:34 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.