CVE-2026-44454
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/coder/coder/v2 | <2.29.7 | 2.29.7 |
| Go | github.com/coder/coder/v2 | >=2.30.0,<2.30.2 | 2.30.2 |
| Go | github.com/coder/coder | <=0.27.3 | |
References
- https://github.com/coder/coder/security/advisories/GHSA-m3cr-vc2j-pm27
- https://github.com/coder/coder/pull/22011
- https://github.com/coder/registry/pull/703
- https://github.com/coder/coder/commit/60e3ab7632f42415d283b9fd5622ee53a4639ceb
- https://github.com/coder/registry/commit/8e68c96633f65a1babd76a93b6923e3deead4a82
- https://github.com/coder/coder
- https://github.com/coder/coder/releases/tag/v2.29.7
- https://github.com/coder/coder/releases/tag/v2.30.2
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.