Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted `dotfiles_uri` value (for example, one containing shell command substitution such as `$(...)`) could achieve command execution in their own workspace. The Create Workspace page's `mode=auto` deep links amplified this into a one-click attack: an attacker could craft a URL that prefilled `param.dotfiles_uri` and silently provisioned a workspace with the attacker-controlled value, with no explicit user confirmation. In versions 2.29.7 and 2.30.2, input validation was added to the dotfiles module to reject URIs and usernames containing special characters, and the unsafe `eval`/`sh -c` usage was removed. This eliminated the command injection at its source.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-m3cr-vc2j-pm27 | Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 07 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, workspace creation via `mode=auto` deep links silently provisioned workspaces with attacker-controlled parameters, requiring no explicit user confirmation. In versions 2.29.7 and 2.30.2, a consent dialog was added that displays all prefilled `param.*` values and blocks creation until the user explicitly clicks Confirm and Create. | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted `dotfiles_uri` value (for example, one containing shell command substitution such as `$(...)`) could achieve command execution in their own workspace. The Create Workspace page's `mode=auto` deep links amplified this into a one-click attack: an attacker could craft a URL that prefilled `param.dotfiles_uri` and silently provisioned a workspace with the attacker-controlled value, with no explicit user confirmation. In versions 2.29.7 and 2.30.2, input validation was added to the dotfiles module to reject URIs and usernames containing special characters, and the unsafe `eval`/`sh -c` usage was removed. This eliminated the command injection at its source. |
Tue, 07 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, workspace creation via `mode=auto` deep links silently provisioned workspaces with attacker-controlled parameters, requiring no explicit user confirmation. In versions 2.29.7 and 2.30.2, a consent dialog was added that displays all prefilled `param.*` values and blocks creation until the user explicitly clicks Confirm and Create. | |
| Title | Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent | |
| Weaknesses | CWE-78 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-07T21:06:20.237Z
Reserved: 2026-05-06T15:49:25.192Z
Link: CVE-2026-44454
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Github GHSA