Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-m3cr-vc2j-pm27: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent

0
High
Published: 07/02/2026 (07/02/2026, 18:14:44 UTC)
Source: GCVE Database
Product: github.com/coder/coder/v2

Description

A command injection vulnerability exists in the Coder dotfiles registry module due to unsanitized user input in the dotfiles_uri parameter. This allows arbitrary code execution inside a provisioned workspace. The vulnerability is amplified by the Create Workspace page's mode=auto parameter, which enables automatic workspace creation via crafted URLs without user consent. An attacker can exploit this by tricking an authenticated user into clicking a malicious link, resulting in immediate workspace creation with attacker-controlled parameters. The issue was fixed by adding input validation to the dotfiles module and removing unsafe shell command execution, plus adding a user consent dialog to block automatic workspace creation without confirmation.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected software

Goghsa
github.com/coder/coder/v2
Affected versions
<2.29.7
Goghsa
github.com/coder/coder/v2
Affected versions
>=2.30.0 <2.30.2
Goghsa
github.com/coder/coder
Affected versions
<=0.27.3

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 23:16:36 UTC

Technical Analysis

The Coder dotfiles registry module improperly interpolated the user-supplied dotfiles_uri value directly into shell commands without sanitization, enabling command injection via shell expansions such as $(...), command separators, or backticks. This allowed arbitrary code execution within the user's workspace. The Create Workspace page's mode=auto parameter combined with param.* URL parameters enabled an attacker to craft a URL that silently provisions a workspace with malicious dotfiles_uri, requiring only that an authenticated user click the link. The primary fix involved input validation rejecting special characters and removing unsafe shell evaluation in the dotfiles module. Additionally, a consent dialog was introduced in the Coder product to prevent automatic workspace creation without explicit user confirmation, mitigating the one-click attack vector.

Potential Impact

Successful exploitation results in arbitrary code execution within the victim's workspace. Depending on workspace privileges, this can lead to exposure of Git credentials, secrets, and workspace files, and potentially allow lateral movement within the environment. The mode=auto parameter reduces exploitation complexity to a single click by an authenticated user, increasing the risk of attack.

Mitigation Recommendations

Official patches are available. The dotfiles module was updated to validate input and remove unsafe shell command execution, eliminating the root cause of command injection. The Coder product added a consent dialog requiring explicit user confirmation before workspace creation, removing the mode=auto automatic creation vector. Users should upgrade to patched releases: v2.29.7 (ESR) or v2.30.2 (mainline) or later. Patch status is confirmed by vendor advisories and GitHub commits linked in the advisory.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-m3cr-vc2j-pm27
Osv Schema Version
1.4.0
Aliases
["CVE-2026-44454"]
Ecosystems
["Go"]
Database Specific Severity
HIGH
Cvss Version
3.1

Threat ID: 6a46ecc227e9c7971943d40b

Added to database: 07/02/2026, 22:57:06 UTC

Last enriched: 07/02/2026, 23:16:36 UTC

Last updated: 07/03/2026, 00:01:54 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses