GHSA-5wg6-jmq2-53pw: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Summary
Coder's workspace app had a security flaw where CORS (cross-origin resource sharing, a browser security feature that controls which websites can access each other's data) checks could be bypassed by using a UUID (universally unique identifier, a standardized format for unique IDs) in a subdomain to trick the system into trusting an attacker's username. An authenticated attacker could craft a malicious URL that, if visited by a victim while logged in, would allow the attacker's code to steal data from the victim's workspace apps.
Solution / Mitigation
Update to patched versions: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (depending on your release line). The fix validates that the subdomain username matches the actual workspace owner and bases CORS decisions on the real owner's identity instead of the unverified username in the URL.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-5wg6-jmq2-53pw
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%