{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/route-hijacking/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Coder \u003e= 2.34.0, \u003c 2.34.2","Coder \u003e= 2.33.0, \u003c 2.33.8","Coder \u003e= 2.30.0, \u003c 2.32.7","Coder \u003c 2.29.17"],"_cs_severities":["high"],"_cs_tags":["vulnerability","cve","route-hijacking","network-attack","supply-chain"],"_cs_type":"advisory","_cs_vendors":["Coder"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-55428, has been identified in Coder's tailnet coordinator, impacting all supported versions of Coder, including 2.34, 2.33, 2.32, and 2.29 (ESR) prior to their patched releases. The flaw stems from insufficient validation of agent-supplied \u003ccode\u003eAllowedIPs\u003c/code\u003e, allowing a malicious Coder agent to advertise arbitrary network prefixes. This enables the agent to hijack network traffic intended for other agents, intercepting web terminal and workspace application communications, and potentially serving spoofed content. Exploitation requires an authenticated user with a running workspace and a modified agent binary. This vulnerability could lead to significant data exposure, credential theft, or further compromise of an organization's development environment. The issue was independently disclosed by Anthropic's Security Team.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user gains access to a Coder environment and initiates a workspace.\u003c/li\u003e\n\u003cli\u003eThe authenticated user modifies their Coder agent binary to include malicious functionality capable of manipulating \u003ccode\u003eAllowedIPs\u003c/code\u003e advertisements.\u003c/li\u003e\n\u003cli\u003eThe malicious Coder agent connects to the Coder tailnet coordinator.\u003c/li\u003e\n\u003cli\u003eThe malicious agent advertises arbitrary \u003ccode\u003eAllowedIPs\u003c/code\u003e prefixes, including the tailnet address of a target victim agent, to the coordinator.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability (CVE-2026-55428), the Coder coordinator, lacking proper validation, forwards these unverified \u003ccode\u003eAllowedIPs\u003c/code\u003e verbatim to other tunnel peers within the tailnet.\u003c/li\u003e\n\u003cli\u003eThe other tunnel peers, receiving the malicious \u003ccode\u003eAllowedIPs\u003c/code\u003e configuration, install them into their WireGuard peer configurations, effectively re-routing traffic intended for the victim agent to the malicious agent.\u003c/li\u003e\n\u003cli\u003eThe malicious agent then intercepts web terminal and workspace application traffic from the victim and can serve spoofed content, facilitating data exfiltration, credential harvesting, or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-55428 allows an attacker to perform a sophisticated Man-in-the-Middle attack within the Coder tailnet. This enables the interception of sensitive web terminal and workspace application traffic from other users or agents, potentially leading to the theft of credentials, session tokens, or proprietary data. Furthermore, the ability to serve spoofed content means attackers could phish users, deliver malicious updates, or otherwise compromise the integrity of the development environment. The vulnerability affects critical internal communication pathways, posing a severe risk to intellectual property and operational security for organizations utilizing vulnerable Coder versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all affected Coder installations to the patched versions: Coder v2.34.2, v2.33.8, v2.32.7, or v2.29.17 to remediate CVE-2026-55428.\u003c/li\u003e\n\u003cli\u003eMonitor Coder coordinator logs for any agents advertising unexpected \u003ccode\u003eAllowedIPs\u003c/code\u003e prefixes, as this could indicate an attempted or successful exploitation.\u003c/li\u003e\n\u003cli\u003eReview network configurations to ensure that only trusted and authenticated agents are permitted to interact with the Coder tailnet coordinator.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T21:04:20Z","date_published":"2026-07-06T21:04:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-coder-route-hijacking/","summary":"A high-severity vulnerability (CVE-2026-55428) in Coder's tailnet coordinator allows a malicious workspace agent to hijack network routes by advertising arbitrary `AllowedIPs` prefixes, enabling interception and spoofing of web terminal and workspace application traffic.","title":"Coder Tailnet Vulnerability (CVE-2026-55428) Leads to Route Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-07-coder-route-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed - Route-Hijacking","version":"https://jsonfeed.org/version/1.1"}