CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55433

mediumCVSS 5.4covered by 2 sourcesfirst seen 2026-07-06
Summary The devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild. Note: Exploitation requires an existing low-privilege role with access to the target workspace. Impact Any authenticated principal with read-only workspace access, such as a Template Admin or Org Template Admin, could recreate a devcontainer, destroying uncommitted in-container state and, if called repeatedly, denying service. This is an authorization bypass leading to data loss and denial of service. Patches The fix adds an explicit ActionUpdate authorization check before the agent is dialed like the delete endpoint. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | v2.34.2 | | 2.33 | v2.33.8 | | 2.32 | v2.32.7 | | 2.29 (ESR) | v2.29.17 | Workarounds None. Resources - Fix: #25812 Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22454) for independently disclosing this issue!

⚡ Watch CVE-2026-55433

Get an email if CVE-2026-55433 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-55433

CVE.org record

Embed the live status

CVE-2026-55433 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55433 status](https://www.csirts.com/badge/CVE-2026-55433)](https://www.csirts.com/cve/CVE-2026-55433)