GHSA-5g4w-3vw9-478wMediumCVSS 5.8

Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Published
July 6, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The workspace app proxy resolves the target app from httpapi.RequestHost() which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch() calls.

Note: Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip X-Forwarded-Host.

Impact

App session cookies are scoped to the wildcard parent domain so the browser attaches them to any app subdomain. An attacker who controls a shared workspace app can serve JavaScript that sends same-site requests with a forged X-Forwarded-Host pointing at a victim's private app. The server routes by the attacker-controlled header but authorizes with the victim's cookie which lets the attacker read the victim's private app responses. Subdomain app routing must be enabled and no upstream proxy may strip X-Forwarded-Host.

Patches

The fix trusts X-Forwarded-Host only from configured trusted proxies and otherwise resolves the routing host from the verified request host.

The fix was backported to all supported release lines:

| Release line | Patched version | |---|---| | 2.34 | v2.34.2 | | 2.33 | v2.33.8 | | 2.32 | v2.32.7 | | 2.29 (ESR) | v2.29.17 |

Workarounds

Place an upstream reverse proxy that strips or overwrites X-Forwarded-Host on untrusted requests.

Resources

  • Fix: #26204

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22435) for independently disclosing this issue!

🎯 Affected products4

  • go/github.com/coder/coder/v2:>= 2.34.0, < 2.34.2
  • go/github.com/coder/coder/v2:>= 2.33.0, < 2.33.8
  • go/github.com/coder/coder/v2:>= 2.30.0, < 2.32.7
  • go/github.com/coder/coder/v2:< 2.29.17

🔗 References (3)