CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55430

mediumCVSS 5.8covered by 2 sourcesfirst seen 2026-07-06
Summary The workspace app proxy resolves the target app from httpapi.RequestHost() which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch() calls. Note: Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip X-Forwarded-Host. Impact App session cookies are scoped to the wildcard parent domain so the browser attaches them to any app subdomain. An attacker who controls a shared workspace app can serve JavaScript that sends same-site requests with a forged X-Forwarded-Host pointing at a victim's private app. The server routes by the attacker-controlled header but authorizes with the victim's cookie which lets the attacker read the victim's private app responses. Subdomain app routing must be enabled and no upstream proxy may strip X-Forwarded-Host. Patches The fix trusts X-Forwarded-Host only from configured trusted proxies and otherwise resolves the routing host from the verified request host. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | v2.34.2 | | 2.33 | v2.33.8 | | 2.32 | v2.32.7 | | 2.29 (ESR) | v2.29.17 | Workarounds Place an upstream reverse proxy that strips or overwrites X-Forwarded-Host on untrusted requests. Resources - Fix: #26204 Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22435) for independently disclosing this issue!

⚡ Watch CVE-2026-55430

Get an email if CVE-2026-55430 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-55430

CVE.org record

Embed the live status

CVE-2026-55430 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55430 status](https://www.csirts.com/badge/CVE-2026-55430)](https://www.csirts.com/cve/CVE-2026-55430)