CVE-2026-55078: Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /a
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, POST /api/v2/files converts zip uploads to tar in memory via CreateTarFromZip, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of coderd.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-55078
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-550780.60% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 45% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55078 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for Coder
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-55438: Coder allows organizations to provision remote development environments via Terraform. Prior t…nvd · 2026-07-08
- mediumCVE-2026-55437: Coder allows organizations to provision remote development environments via Terraform. Prior t…nvd · 2026-07-08
- highCVE-2026-55436: Coder allows organizations to provision remote development environments via Terraform. Startin…nvd · 2026-07-08
- mediumCVE-2026-55433: Coder allows organizations to provision remote development environments via Terraform. Prior t…nvd · 2026-07-08
- mediumCVE-2026-55432: Coder allows organizations to provision remote development environments via Terraform. Prior t…nvd · 2026-07-08
- highCVE-2026-55431: Coder allows organizations to provision remote development environments via Terraform. Prior t…nvd · 2026-07-08
More from NVD Recent CVEs
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…2026-07-11
- lowCVE-2026-61858: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and ext…2026-07-11
- lowCVE-2026-61857: ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing nul…2026-07-11
- lowCVE-2026-61465: ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation…2026-07-11