GHSA-jqj2-x4c5-jfxm: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Summary
A bug in Coder's devcontainer recreate endpoint allowed users with read-only workspace access to destroy containers and cause service outages, because the endpoint only checked read permissions instead of also checking update permissions like similar endpoints do. Exploitation requires the attacker to already have low-privilege access to the target workspace.
Solution / Mitigation
Update to a patched version: v2.34.2 (for release line 2.34), v2.33.8 (for 2.33), v2.32.7 (for 2.32), or v2.29.17 (for ESR 2.29). The fix adds an explicit `ActionUpdate` authorization check before the devcontainer recreation is triggered, matching the security model of the delete endpoint.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-jqj2-x4c5-jfxm
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%