### Summary `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Anthropic Python | go | >= 2.34.0, < 2.34.2 | 2.34.2 |
Do you use Anthropic Python? You're affected.
How severe is it?
What is the attack surface?
What should I do?
Patch available
Update Anthropic Python to version 2.34.2
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-55429?
### Summary `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. > **Note:** Exploitation requires elevated access as a template author or external provisioner operator. ### Impact A user with template authorship or external provisioner access can submit a `CompleteJob` payload with a known victim app UUID and an attacker-controlled agent ID. On completion of the attacker's build the victim's app row is rebound to the attacker's agent so later app traffic such as IDE and terminal sessions is proxied to the attacker's workspace. App UUIDs are discoverable through the public API. ### Patches The fix verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) | ### Workarounds None. Upgrading is required. ### Resources - Fix: #26103 ### Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22441) for independently disclosing this issue!
Is CVE-2026-55429 actively exploited?
No confirmed active exploitation of CVE-2026-55429 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-55429?
Update to patched version: Anthropic Python 2.34.2.
What is the CVSS score for CVE-2026-55429?
CVE-2026-55429 has a CVSS v3.1 base score of 8.7 (HIGH).
What are the technical details?
Original Advisory
### Summary `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. > **Note:** Exploitation requires elevated access as a template author or external provisioner operator. ### Impact A user with template authorship or external provisioner access can submit a `CompleteJob` payload with a known victim app UUID and an attacker-controlled agent ID. On completion of the attacker's build the victim's app row is rebound to the attacker's agent so later app traffic such as IDE and terminal sessions is proxied to the attacker's workspace. App UUIDs are discoverable through the public API. ### Patches The fix verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) | ### Workarounds None. Upgrading is required. ### Resources - Fix: #26103 ### Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22441) for independently disclosing this issue!
Weaknesses (CWE)
CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
- [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
- [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-7574 8.7 Claude Desktop: VM integrity bypass enables RCE
Same package: anthropic CVE-2026-55427 8.3 Analysis pending
Same package: anthropic CVE-2026-55428 8.2 Analysis pending
Same package: anthropic CVE-2026-45370 7.7 utcp-cli: env leak exfiltrates all agent process secrets
Same package: anthropic CVE-2026-55431 7.7 Analysis pending
Same package: anthropic