{"data":{"id":"6522801a-cd33-4aac-8502-d70926abdccc","title":"GHSA-f5vp-w269-392g: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints","summary":"Coder's AI Bridge provider endpoints had a vulnerability where they read incoming request bodies without limiting their size, allowing an authenticated user to send extremely large requests that consume all available memory and crash the system (denial of service, a type of attack that makes a service unavailable). This vulnerability only affects versions 2.33 and 2.34 and requires the attacker to already have authenticated access to the AI Bridge feature.","solution":"The fix applies `http.MaxBytesReader` (a setting that caps the maximum size of incoming request data) or an equivalent limit before reading request bodies. Update to v2.34.2 or v2.33.8 depending on your release line.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-f5vp-w269-392g","publishedAt":"2026-07-06T21:10:13.000Z","cveId":"CVE-2026-55434","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["github.com/coder/coder/v2@>= 2.33.0, < 2.33.8 (fixed: 2.33.8)","github.com/coder/coder/v2@>= 2.34.0, < 2.34.2 (fixed: 2.34.2)"],"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Coder","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-07-06T21:10:13.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}