Summary coder config-ssh wrote server-supplied SSH settings (HostnameSuffix, SSHConfigOptions) into the user's ~/.ssh/config without sanitizing embedded newlines or restricting directives so a malicious or compromised C…
| CVE ID | CVE-2026-55427 |
| Vendor | go |
| Affected Product | github.com/coder/coder/v2 |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.3 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
coder config-ssh wrote server-supplied SSH settings (HostnameSuffix, SSHConfigOptions) into the user's ~/.ssh/config without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. > Note: Practical exploitation requires control of the server-supplied values through a malicious or compromised deployment, a man-in-the-middle position or admin access to the HostnameSuffix and SSHConfigOptions settings.ProxyCommand and achieve arbitrary code execution on any developer workstation that ran coder config-ssh. Injected commands ran with the local user's privileges and applieSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.