<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Route-Hijacking - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/route-hijacking/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:04:20 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/route-hijacking/feed.xml" rel="self" type="application/rss+xml"/><item><title>Coder Tailnet Vulnerability (CVE-2026-55428) Leads to Route Hijacking</title><link>https://feed.craftedsignal.io/briefs/2026-07-coder-route-hijacking/</link><pubDate>Mon, 06 Jul 2026 21:04:20 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-coder-route-hijacking/</guid><description>A high-severity vulnerability (CVE-2026-55428) in Coder's tailnet coordinator allows a malicious workspace agent to hijack network routes by advertising arbitrary `AllowedIPs` prefixes, enabling interception and spoofing of web terminal and workspace application traffic.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-55428, has been identified in Coder's tailnet coordinator, impacting all supported versions of Coder, including 2.34, 2.33, 2.32, and 2.29 (ESR) prior to their patched releases. The flaw stems from insufficient validation of agent-supplied <code>AllowedIPs</code>, allowing a malicious Coder agent to advertise arbitrary network prefixes. This enables the agent to hijack network traffic intended for other agents, intercepting web terminal and workspace application communications, and potentially serving spoofed content. Exploitation requires an authenticated user with a running workspace and a modified agent binary. This vulnerability could lead to significant data exposure, credential theft, or further compromise of an organization's development environment. The issue was independently disclosed by Anthropic's Security Team.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated user gains access to a Coder environment and initiates a workspace.</li>
<li>The authenticated user modifies their Coder agent binary to include malicious functionality capable of manipulating <code>AllowedIPs</code> advertisements.</li>
<li>The malicious Coder agent connects to the Coder tailnet coordinator.</li>
<li>The malicious agent advertises arbitrary <code>AllowedIPs</code> prefixes, including the tailnet address of a target victim agent, to the coordinator.</li>
<li>Due to the vulnerability (CVE-2026-55428), the Coder coordinator, lacking proper validation, forwards these unverified <code>AllowedIPs</code> verbatim to other tunnel peers within the tailnet.</li>
<li>The other tunnel peers, receiving the malicious <code>AllowedIPs</code> configuration, install them into their WireGuard peer configurations, effectively re-routing traffic intended for the victim agent to the malicious agent.</li>
<li>The malicious agent then intercepts web terminal and workspace application traffic from the victim and can serve spoofed content, facilitating data exfiltration, credential harvesting, or further exploitation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-55428 allows an attacker to perform a sophisticated Man-in-the-Middle attack within the Coder tailnet. This enables the interception of sensitive web terminal and workspace application traffic from other users or agents, potentially leading to the theft of credentials, session tokens, or proprietary data. Furthermore, the ability to serve spoofed content means attackers could phish users, deliver malicious updates, or otherwise compromise the integrity of the development environment. The vulnerability affects critical internal communication pathways, posing a severe risk to intellectual property and operational security for organizations utilizing vulnerable Coder versions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade all affected Coder installations to the patched versions: Coder v2.34.2, v2.33.8, v2.32.7, or v2.29.17 to remediate CVE-2026-55428.</li>
<li>Monitor Coder coordinator logs for any agents advertising unexpected <code>AllowedIPs</code> prefixes, as this could indicate an attempted or successful exploitation.</li>
<li>Review network configurations to ensure that only trusted and authenticated agents are permitted to interact with the Coder tailnet coordinator.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>cve</category><category>route-hijacking</category><category>network-attack</category><category>supply-chain</category></item></channel></rss>