GHSA-9rjw-3gwp-f59v: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
Summary
A vulnerability in Coder's workspace app system allows attackers with template authorship or external provisioner access to redirect another user's app traffic to their own workspace. The flaw occurs because the system doesn't properly verify that an app ID belongs to the correct workspace before rebinding it to a different agent (the component that handles connections). App IDs are publicly discoverable, making this attack feasible for privileged users.
Solution / Mitigation
Upgrade to a patched version: v2.34.2 (for release line 2.34), v2.33.8 (for 2.33), v2.32.7 (for 2.32), or v2.29.17 (for the ESR line 2.29). The patch adds verification to ensure that existing workspace app rows belong to the workspace being built and rejects attempts to reassign apps across workspaces. No workarounds are available, so upgrading is required.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-9rjw-3gwp-f59v
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%