GHSA-5g4w-3vw9-478w: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Summary
Coder's workspace app routing trusts an unauthenticated HTTP header called X-Forwarded-Host (a header that tells the server what hostname the request came for) without verifying it came from a trusted source. An attacker can set this header in their browser to trick the server into routing requests to a victim's private app while still using the victim's authentication cookies (session identifiers), allowing the attacker to read data from that private app. This only works if subdomain app routing (using wildcard hostnames to serve multiple apps) is enabled and the upstream proxy doesn't remove this header.
Solution / Mitigation
Update to a patched version: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (for the extended support release). The fix makes the server trust X-Forwarded-Host only from configured trusted proxies and otherwise uses the verified request host for routing. As a temporary workaround if you cannot update immediately, place an upstream reverse proxy (a server that sits in front of Coder) that strips or overwrites the X-Forwarded-Host header on untrusted requests.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-5g4w-3vw9-478w
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 65%