GHSA-v54h-cp2w-9x4g: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
Summary
The `coder open app` command (a tool that opens external applications linked to workspaces) was vulnerable to leaking session tokens (secret credentials that prove a user's identity) to attacker-controlled websites. When a workspace's external app URL contained a `$SESSION_TOKEN` placeholder, the command would replace it with the real token before opening the URL, potentially sending it to an attacker's server if they controlled the workspace's app definitions. This could allow an attacker to impersonate the user and access their account.
Solution / Mitigation
Update Coder to a patched version: v2.34.2 (for release line 2.34), v2.33.8 (for 2.33), v2.32.7 (for 2.32), or v2.29.17 (for 2.29 ESR). The fix applies a URL-scheme allowlist (a list of approved website protocols) in the CLI and limits session token substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
GHSA-382c-vx95-w3p5: Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
CVE-2026-2589: The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure
Original source: https://github.com/advisories/GHSA-v54h-cp2w-9x4g
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%