highCVE-2026-55436

CVE-2026-55436 coder vulnerability

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate. Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected. The fix in versions 2.32.7, 2.33.8, and 2.34.2 applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS).

Productcoder
CVSS7.4
EPSS0.00258
UpdatedJuly 12, 2026

Quick answer

coder should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CVE-2026-55436 affects Coder remote development deployments before the patched Coder releases. The practical risk is TLS certificate validation bypass in AI Bridge Proxy outbound HTTPS when no upstream proxy is configured. Prioritize AI Bridge deployments where the proxy and Coder server communicate over a network path that is not loopback or otherwise trusted. Coder fixed this issue in versions 2.32.7, 2.33.8, and 2.34.2; deploy the matching patched branch or a later supported release. Where the advisory lists a workaround, apply it only as a temporary control until the patched version is deployed.

  1. Inventory all Coder server, CLI, provisioner, AI Bridge Proxy, workspace app proxy, and template-author deployments across production, staging, and developer environments.
  2. Identify affected Coder versions and compare each deployment against the fixed releases: 2.32.7, 2.33.8, and 2.34.2, or a later supported release.
  3. Upgrade Coder servers and related components to the patched release for the installed branch, then roll out updated CLI binaries to users and automation hosts where the CLI is affected.
  4. Place the AI Bridge Proxy and Coder server on a trusted path, use valid trusted certificates, and consider mTLS or loopback routing where possible.
  5. Review role bindings, template-author privileges, provisioner daemon access, wildcard app hostname exposure, and reverse proxy header handling for unnecessary trust.
  6. Review AI Bridge Proxy connectivity, certificate errors, and network telemetry for possible on-path interception.
  7. If exploitation or credential exposure is suspected, revoke affected sessions, rotate tokens and credentials, preserve audit logs, and rebuild affected workspaces or hosts where integrity cannot be trusted.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every Coder component reports a patched version: 2.32.7, 2.33.8, and 2.34.2, or a later supported release for that branch.
  • Confirm AI Bridge Proxy rejects untrusted certificates and uses TLS 1.2 or higher with system root CAs.
  • Validate proxy, wildcard app hostname, template, provisioner, and workspace permission settings against the intended least-privilege policy.
  • Review Coder audit logs, reverse proxy logs, and workspace telemetry for exploitation attempts before and after patching.
  • Document patched versions, changed settings, residual exceptions, and evidence, then rerun Fixnx or the relevant vulnerability scan where applicable.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-55436?

coder should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.