GHSA-x9qq-2qh5-8rxf: Coder's sub-agent app registration bypasses template port-sharing policy enforcement
Summary
A security flaw in Coder allowed workspace owners to register sub-agent apps (helper programs running within a workspace) at a higher sharing level than administrators allowed, potentially exposing apps to unauthenticated users. The bug bypassed the template's MaxPortSharingLevel setting, which is a policy that controls how widely accessible workspace apps can be.
Solution / Mitigation
Update to patched versions: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 depending on your release line. The fix clamps the sub-agent app sharing level to the template's MaxPortSharingLevel. Alternatively, as a temporary workaround, disable wildcard app hostnames by setting `CODER_WILDCARD_ACCESS_URL` to disabled.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-x9qq-2qh5-8rxf
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%