GHSA-m3cr-vc2j-pm27: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
A command injection vulnerability exists in the Coder dotfiles registry module due to unsanitized user input in the dotfiles_uri parameter. This allows arbitrary code execution inside a provisioned workspace. The vulnerability is amplified by the Create Workspace page's mode=auto parameter, which enables automatic workspace creation via crafted URLs without user consent. An attacker can exploit this by tricking an authenticated user into clicking a malicious link, resulting in immediate workspace creation with attacker-controlled parameters. The issue was fixed by adding input validation to the dotfiles module and removing unsafe shell command execution, plus adding a user consent dialog to block automatic workspace creation without confirmation.
AI Analysis
Technical Summary
The Coder dotfiles registry module improperly interpolated the user-supplied dotfiles_uri value directly into shell commands without sanitization, enabling command injection via shell expansions such as $(...), command separators, or backticks. This allowed arbitrary code execution within the user's workspace. The Create Workspace page's mode=auto parameter combined with param.* URL parameters enabled an attacker to craft a URL that silently provisions a workspace with malicious dotfiles_uri, requiring only that an authenticated user click the link. The primary fix involved input validation rejecting special characters and removing unsafe shell evaluation in the dotfiles module. Additionally, a consent dialog was introduced in the Coder product to prevent automatic workspace creation without explicit user confirmation, mitigating the one-click attack vector.
Potential Impact
Successful exploitation results in arbitrary code execution within the victim's workspace. Depending on workspace privileges, this can lead to exposure of Git credentials, secrets, and workspace files, and potentially allow lateral movement within the environment. The mode=auto parameter reduces exploitation complexity to a single click by an authenticated user, increasing the risk of attack.
Mitigation Recommendations
Official patches are available. The dotfiles module was updated to validate input and remove unsafe shell command execution, eliminating the root cause of command injection. The Coder product added a consent dialog requiring explicit user confirmation before workspace creation, removing the mode=auto automatic creation vector. Users should upgrade to patched releases: v2.29.7 (ESR) or v2.30.2 (mainline) or later. Patch status is confirmed by vendor advisories and GitHub commits linked in the advisory.
GHSA-m3cr-vc2j-pm27: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
Description
A command injection vulnerability exists in the Coder dotfiles registry module due to unsanitized user input in the dotfiles_uri parameter. This allows arbitrary code execution inside a provisioned workspace. The vulnerability is amplified by the Create Workspace page's mode=auto parameter, which enables automatic workspace creation via crafted URLs without user consent. An attacker can exploit this by tricking an authenticated user into clicking a malicious link, resulting in immediate workspace creation with attacker-controlled parameters. The issue was fixed by adding input validation to the dotfiles module and removing unsafe shell command execution, plus adding a user consent dialog to block automatic workspace creation without confirmation.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Coder dotfiles registry module improperly interpolated the user-supplied dotfiles_uri value directly into shell commands without sanitization, enabling command injection via shell expansions such as $(...), command separators, or backticks. This allowed arbitrary code execution within the user's workspace. The Create Workspace page's mode=auto parameter combined with param.* URL parameters enabled an attacker to craft a URL that silently provisions a workspace with malicious dotfiles_uri, requiring only that an authenticated user click the link. The primary fix involved input validation rejecting special characters and removing unsafe shell evaluation in the dotfiles module. Additionally, a consent dialog was introduced in the Coder product to prevent automatic workspace creation without explicit user confirmation, mitigating the one-click attack vector.
Potential Impact
Successful exploitation results in arbitrary code execution within the victim's workspace. Depending on workspace privileges, this can lead to exposure of Git credentials, secrets, and workspace files, and potentially allow lateral movement within the environment. The mode=auto parameter reduces exploitation complexity to a single click by an authenticated user, increasing the risk of attack.
Mitigation Recommendations
Official patches are available. The dotfiles module was updated to validate input and remove unsafe shell command execution, eliminating the root cause of command injection. The Coder product added a consent dialog requiring explicit user confirmation before workspace creation, removing the mode=auto automatic creation vector. Users should upgrade to patched releases: v2.29.7 (ESR) or v2.30.2 (mainline) or later. Patch status is confirmed by vendor advisories and GitHub commits linked in the advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-m3cr-vc2j-pm27
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-44454"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a46ecc227e9c7971943d40b
Added to database: 07/02/2026, 22:57:06 UTC
Last enriched: 07/02/2026, 23:16:36 UTC
Last updated: 07/03/2026, 00:01:54 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.