Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent's UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-wrq8-fcv5-8hvp | Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Jul 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Coder
Coder coder |
|
| Vendors & Products |
Coder
Coder coder |
Wed, 08 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coordinator forwards agent-supplied `AllowedIPs` verbatim to tunnel peers which install them into the WireGuard peer configuration. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates each `AllowedIPs` prefix against the authenticating agent's UUID just like `Addresses`. As a workaround, monitor coordinator logs for agents advertising unexpected `AllowedIPs` prefixes. | |
| Title | Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator | |
| Weaknesses | CWE-285 CWE-863 |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-07T23:57:45.338Z
Reserved: 2026-06-16T21:59:57.016Z
Link: CVE-2026-55428
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T02:00:12Z
Github GHSA